A new flaw in IE 6.0 could allow attackers to shut down a computer just by getting users to visit a malicious Web site. Commonly referred to as the Codebase Localpath vulnerability, Microsoft was notified of this threat in January and February of 2002. As recently reported in Newsbytes, some security specialists contend that Microsoft has known of the problem since June 2000.

In part, Microsoft’s lack of response has probably been due to the fact that earlier exploits of this vulnerability performed relatively harmless actions, such as running the Microsoft Calculator. Unfortunately, this vulnerability was never patched. Now a new utility, Logoff.exe, which is installed by default on XP systems, could make this vulnerability more dangerous. If users visit a malicious site that takes advantage of the Codebase Localpath hole to automatically run Logoff.exe when the Web page is opened, the system will begin the shutdown sequence. This could cause the user to lose all current, unsaved work.

A similar program, Shutdown.exe, is also found in XP installations. In fact, both Logoff.exe and Shutdown.exe are found on some NT and Windows 2000 systems because they are included with the resource kits for those operating systems.

Threat level—moderate
The risk that this vulnerability will be exploited grew dramatically a few weeks ago when the source code for one possible logoff attack was posted on the security mailing list Vuln-Dev. That posting turned this threat into a trivial, script kiddie-level attack. The fact that the shutdown executables are now shipping with all versions of XP means that not only will this attack almost certainly be exploited, but it will now begin to cause real damage.

Fix
Anyone with Windows XP installed or those who might have had their NT or Windows 2000 system tweaked with the addition of these utilities (via the respective resource kits) should, at a minimum, search for the dangerous Logoff.exe and Shutdown.exe files that could be used to shut down those systems and remove them.

According to the source code for the exploit as listed by Swedish security researcher Magnus Bodin, you should look for Logoff.exe in:
c:/windows/system32/logoff.exe
c:/winxp/system32/logoff.exe
c:/winnt/system32/logoff.exe

Of course, that research represents only a partial exploitation of the vulnerability, so you should also check for the presence of Logoff.exe in other directories, and you should look for Shutdown.exe as well.

If you don’t use JavaScript or ActiveX, you’re still not safe. Israel-based GreyMagic recently demonstrated that any system using IE 5.5 or later is vulnerable to an attack, which can run arbitrary code even without JavaScript or ActiveX. The GreyMagic demo used an approach that lets attackers run code on MS Outlook and IE systems even if you disable JavaScript and ActiveX. The threat is due to an IE feature called Data Binding. This feature has been around for years, but in combination with the Codebase Localpath hole, it could lead to much more serious threats.

The only real fix I can see at this time is to disable Logoff.exe and Shutdown.exe or move them from the default locations to other directories on your systems (where the attack won’t know to look for them). Unfortunately, this won’t block the CodeBase vulnerability; it will only remove the most well-known destructive threat at the moment. Please use extreme caution since I can’t guarantee that this solution won’t cause other problems with some applications that might legitimately use these utilities.

Symantec describes this vulnerability (which it refers to as the XMLid.Exploit) as “an exploit which can run executable files on the local file system without warning.” It has included XMLid.Exploit as a virus signature, and Norton AntiVirus will detect something on some vulnerable systems—but it wasn’t clear from the Symantec explanation just what the antivirus software will detect and remove, what other consequences this might have, or whether this will completely plug this vulnerability.

McAfee Security designates this vulnerability as Exploit-CodeBase and describes the threat as “low risk.” McAfee’s report includes this warning: “Windows Me utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files.”

The same page includes detailed instructions on how to disable the Restore Utility in Me installations.

Final word
Codebase Localpath isn’t a particularly dangerous threat at this time. At worst, it appears that it could initiate a shutdown on some systems, but only if users visit a malicious Web site containing the code and only if their system contains one of the two affected system utilities. However, more exploits may be discovered, and I find it disturbing that Microsoft apparently hasn’t addressed this threat, especially since Windows XP makes the threat more widespread with the proliferation of Logoff.exe and Shutdown.exe.