Microsoft desktop proponents continue to point out how great it is to have highly integrated software that is both feature-rich and easy for users to operate. Yet Microsoft’s desktop applications continue to demonstrate a less-than-stellar security record, as two serious new flaws have been discovered in Internet Explorer.

Two serious threats
The first of these vulnerabilities was discovered by Thor Larholm, a developer with Denmark-based Internet portal Jubii.dk. Larholm said that—ironically—the vulnerability, which can expose all cookies to an attacker, resides in the way IE handles the privacy dialog window that can be used to display a Web site’s privacy statement. (IE 6.0 has supposedly improved security because it can make permission decisions based on the content of a site’s privacy statement.)

While Microsoft recently provided an IE patch (MS02-015) dealing with this problem, it was apparently an incomplete patch. Larholm says the vulnerability he discovered exists even in patched programs. As described in one of my earlier columns, MS02-015 was a cumulative patch, but it also included two new patches, one of which was intended to address a similar problem to the one described by Larholm.

According to a report from Wired, another, completely different vulnerability (which I will refer to as the Refresh/Back button threat) was reported to Microsoft on March 25, 2002, by Swedish engineering student Andreas Sandblad. This vulnerability can be triggered by anyone using the Back button in IE.

It reportedly works like this: If you get the standard error message when trying to load a page, the message is loaded in The Local Computer Zone with the lowest security settings. Clicking on the Back button will redisplay the previous page, but unfortunately, IE’s security settings may remain in the trusted Local Computer Zone, allowing malicious JavaScript code to immediately execute.

The Wired report quoted Sandblad as saying that he initially thought this vulnerability occurred only when clicking on the Refresh button, and he notified Microsoft of that threat last year. Sandblad said that Microsoft responded to his concerns several months later, essentially saying that it didn’t consider the vulnerability serious enough to correct.

When he later discovered that the problem also occurred when using the Back button and informed Microsoft, the company told him that it was considering a patch. He warned Microsoft that he would go public with his discovery if it didn’t address this gaping hole in IE, but it never responded to his message. Sandblad posted a demonstration of the vulnerability to the BugTraq mailing list on the evening of April 14, 2002.

Since this vulnerability requires interaction by the user, Microsoft says that the company doesn’t consider this “a security vulnerability” by its strict definition.

Risk—critical
The exploit demonstrated by Larholm on his Web site allows a malicious Web site to launch programs already on the user’s system while another sends messages to users in the victim’s MSN Messenger contact list. Larholm said that the vulnerability will also allow an attacker to view any cookies found on the target system, although he did not provide a proof of concept for this threat. Nevertheless, this vulnerability could do some serious damage, so I rate it as critical.

I also rate the Refresh/Back vulnerability revealed by Sandblad as critical because of its potential for allowing malicious JavaScript code to execute quite easily.

Applicability
Larholm eventually went public with this vulnerability when, according to a Newsbytes report, he felt that the Microsoft security team was dragging its feet in fixing this problem. He notified the company on March 18, 2002, and has reported that he has found the vulnerability in:

  • IE6sp1 on Win2000 SP2, with all patches.
  • IE6sp1 on Windows 98, with all patches.
  • IE6sp1 on Windows 98 SE, with all patches.

Since this vulnerability lies in the WebBrowser control, it applies to IE, Outlook, and Outlook Express.

Israel-based GreyMagic has since reported that it has followed up on Larholm’s findings and tested earlier versions of Internet Explorer. According to its Web site, a similar but not identical vulnerability exists in:

  • IE5sp2 NT4 sp6a, with all patches.
  • IE5.5sp2 NT4 sp6a, with all patches.
  • IE6sp1 Win2000 sp2, with all patches.

GreyMagic says that the exploit it discovered runs intermittently under IE 5.0, but works consistently under IE 5.5 and IE 6.0.

Sandblad discovered the Refresh/Back button vulnerability in IE 6.0 running under Windows 2000 and XP. Wired reports that its own tests found the same problem with various combinations of IE 5.5 and 6.0 on multiple versions of Windows 98 and NT.

It is important to keep in mind that users would have to visit a malicious site to be vulnerable to any of these exploits.

Fix—work around it
At the time this report was written, Microsoft had not responded to either of these problems except to say that it is still investigating whether there is a need to respond. No patch was available for any of these vulnerabilities, but of course one may be released by the time you read this.

Larholm said that disabling JavaScript will block exploitation of the vulnerability he described. GreyMagic did not post a fix for the problem it discovered, but it details the coding mistakes on its Web site page devoted to the threat.

The only way I can see to avoid the Refresh/Back button vulnerability is to avoid using either prominent browser feature, although viruses might still be able to find a way to exploit these flaws.

Details
The initial problem reported by Larholm exists in dialogArguments which is supposed to manage the way objects can be transferred between display dialog windows using showModalDialog and showModelessDialog.

The problem he discovered is that the dialogArguments property sometimes fails in its attempt to prevent interaction between Web sites. In other words, dialogArguments should restrict data sharing to the site it’s supposed to be available to, but a vulnerability allows malicious Web sites to spoof the other site by bouncing an HTTP redirect off the originating site.

Larholm described the problem as follows: “ThedialogArgumentsproperty tries to prevent interaction between remote pages by comparing the location of the originating page and the dialog page. When opening a dialog window (e.g., res://shdoclc.dll/policyerror.htm) from another protocol, port or domain (e.g., http://jscript.dk), the validation code in IE will ensure that no objects are transferred, and no interaction is as such possible. When both pages are on the same protocol, port, and domain, the validation code will allow interaction. Unfortunately, the validation code only checks the original URL instead of the final URL….”

The vulnerability leaves your system wide open because it will allow interaction between virtually any two domains, different ports, or even different protocols.

The additional vulnerabilities reported by GreyMagic relate to Analyze.dlg, which they say is not easy to exploit but is still open to a careful attack.

Final comments
This is yet another example of Microsoft being slow to respond to a known vulnerability after it was notified of a problem—so slow, in fact, that the discoverer felt that it was necessary to publicize the threat to push Microsoft into posting a patch.

The Refresh/Back button exploit is especially troubling if, as reported by several sources, Microsoft is placing all the responsibility on users to have somehow discovered on their own that such prominent and commonly used browser features are actually extremely dangerous.

I’ve certainly never seen any warnings against using the Refresh or Back buttons in any of the tens of thousands of pages of Microsoft documentation I have waded through over the years.

Making users vulnerable by resetting security privileges to Local Zone without warning is potentially one of the worst flaws I have ever heard of in any Microsoft product, and the fact that the company is apparently not taking this seriously is very disconcerting.