Internet Explorer can misinterpret some IP addresses as belonging to an intranet site rather than an Internet site, bypassing normal security protocols that are applied to Web sites but are not enforced against internal HTML documents. This flaw is addressed by the latest Microsoft Security Bulletin MS01-051, as are two other vulnerabilities in several versions of IE.
The second vulnerability involves a way attackers can cause IE to contact a Web site, send a command as soon as the connection has been established, and make it appear that this command comes from a third party. According to Microsoft, this could allow someone to spoof a user and delete information such as e-mail from Internet accounts.
The third vulnerability addressed by MS01-051 is related to a specific version of Telnet. The flaw in IE allows command-line actions, which should be blocked, to be executed. This is a variant of a flaw covered by an earlier Microsoft Security Bulletin, as we’ll discuss below.
The following products are affected by one or more of the three patches in bulletin MS01-051:
- Microsoft Internet Explorer 6
- Microsoft Internet Explorer 5.5 Service Pack 2
- Microsoft Internet Explorer 5.01 Service Pack 2
- Telnet client from the Services for UNIX 2.0 add-on package
Earlier versions of IE are probably affected as well, but Microsoft no longer supports earlier IE versions and doesn’t report on possible vulnerabilities in any nonsupported software.
Risk level: Moderate to low
The highest risk among the IE flaws is posed by the security zone spoofing flaw, in which a browser may be tricked into giving intranet privileges to random Internet sites. The IP spoofing vulnerability—which does not affect IE 6—results from incorrect handling of some specially malformed IP addresses that lack the usual period punctuation (e.g., 2074613113 instead of 220.127.116.11). The malformed addresses can trick IE into believing it is loading an intranet site when it is actually viewing an Internet site, and may therefore grant too many privileges.
IE has four security zones with different settings for each. The zones range from Restricted for sites that are considered insecure to Trusted, which has the highest privileges. Internet Zone and Intranet Zone fall between those two extremes in terms of the allowed privileges that are automatically granted to Web pages. By default, each zone gets one of four security settings (Restricted–High, Internet–Medium, Local Intranet–Medium-low, and Trusted–low), but users or administrators can configure custom settings for each zone.
This flaw is really only a danger for installations where the IE security defaults have been altered and custom settings have been used. Microsoft’s default settings for intranet and Internet pages are very similar and offer relatively good protection. The defaults for the two zones are nearly identical. The biggest threat is to installations where intranets are thoroughly integrated into daily business activities, and therefore the default settings for IE have been significantly altered to support various additional capabilities.
The Intranet Zone can’t include or exclude individual sites. Depending on the format of the IP address, IE automatically assigns internal systems to this zone. Again, if your systems have been left with the default IE settings, this vulnerability won’t allow any destructive action to be taken as a result of the flaw.
The second vulnerability addressed by MS01-051 is an HTTP request encoding vulnerability that can allow an attacker to spoof someone’s identity at a specific Web site and perform actions such as deleting e-mail. This poses a moderate to low risk on an individual basis, mostly from internal attacks. To take advantage of the flaw, an attacker would require specific knowledge of the user and how he or she operates on the Internet. This doesn’t eliminate the danger; however, in many larger companies, a disgruntled worker could exploit this vulnerability against a specific user. A common prankster could also find this vulnerability appealing and could use other hacking methods to learn about someone’s Internet activities.
Microsoft describes the problem this way: “The vulnerability results because it is possible to create a URL that specifies the domain name of a third-party site and a series of HTTP requests. Upon processing such a URL, IE would establish a connection with the third-party site and then send the commands as though they had originated from the user.” In most cases, this wouldn’t pose any real threat. But a few sites, such as Web-based e-mail accounts, could be altered by the attacker and could result in the loss of important data.
The third vulnerability covered by this security bulletin has a low degree of risk and is a variant of a Telnet flaw that was addressed earlier this year in Security Bulletin MS01-015. Microsoft says, "This vulnerability is only a concern for customers who are using the Telnet client that ships as part of Services for UNIX 2.0. No other versions of Telnet contain the command-line feature to create log files, including the versions that ship by default as part of Windows platforms.”
It should be noted that the Telnet vulnerability is not a problem in Telnet but a flaw in IE that allows users to access a session-logging feature using the command line.
The MS01-051 patch available from Microsoft fixes all three vulnerabilities. Although Microsoft doesn’t mention it, there is an obvious workaround for the security zone spoofing vulnerability. Simply reconfiguring the Intranet Zone settings to match the default Internet Zone security settings or changing them back to the default Intranet Zone settings will eliminate any real danger. Of course, this could adversely affect network activities if the default settings were originally altered to support specific intranet features that a company uses as part of their business systems.
How will you compensate for this IE security flaw?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.