The Israeli security company GreyMagic recently announced that it had discovered an error-handling vulnerability in multiple versions of Microsoft's Internet Explorer. It informed Microsoft of the problem near the end of February 2003. Microsoft's security specialists reported that they were able to trigger this vulnerability in IE 6 Gold and all versions below it. However, GreyMagic reported that it located the vulnerability on all IE versions, including IE 6 with Service Pack 1 installed.
The problem lies in the fact that IE comes with various HTML resource files that handle HTTP errors in Web sites. One of these pulls the actual URL from the resource URL hash. GreyMagic used the following example to show this: "If 'site.com' generated a 404 HTTP error, the following URL will be internally requested by IE: res://shdoclc.dll/404_HTTP.htm#http://site.com/file.html."
The HTML resource file pulls the domain from this to place it in a custom error message, but GreyMagic discovered this parsing function contains a flaw that can cause arbitrary commands to execute in the Local Zone.
The error message is IE's familiar "This page cannot be displayed" message with the bulleted list of options, including "Open the site.com home page, and then look for links to the information you want."
GreyMagic said that it specifically tested and found this vulnerability in Internet Explorer version 5 and IE 6 on Windows 98; IE 5.5 and IE 6 on NT 4; IE 5.5 and IE 6 on Windows 2000; and IE 6 on Windows XP. Although this flaw was discovered in Internet Explorer, GreyMagic said that it will also affect any other application that uses the IE engine, including MSN Explorer and AOL's built-in Web browser.
This flaw could allow an attacker to run script commands in the IE Local Zone, which could result in local file reading and various types of dangerous consequences, depending upon the ingenuity of the attacker.
The user must click on the piece of malicious code presented in the error screen to execute the malicious script. In the above example, the link would be the "site.com."
About all you can do right now is warn users not to click on the link supplied by the error message. Beyond that, you'll have to wait for Microsoft to introduce a new patch or service pack. GreyMagic reported that Microsoft is planning to fix this in a future update.
GreyMagic didn't say why it released the information about this vulnerability before Microsoft had produced a fix, but I surmise it felt that giving Microsoft four months to fix this was sufficient notice. In general, the number of serious vulnerabilities discovered recently seems to have declined. Whether this is due to efforts on Microsoft's part to improve security or is just a random occurrence is anyone's guess at this point.
This week, I'm adding a new feature to this column called "Also watch out for…," in which I'll try to include what I see as the most important of the second tier of new vulnerabilities. Although space limitations prevent me from covering more than one or two major threats that affect a lot of users, any vulnerability is major to the IT pro who has a single system that's at risk. I won't attempt to cover all new vulnerabilities in this section—just the ones I think are most likely to affect TechRepublic readers.
Also watch out for…
- GreyMagic leads off this week's second tier of threats with Security Advisory GM#013-IE, a cross-site scripting vulnerability in unparsable XML files. This is found in IE 5.5 and 6.
- HP-UX 8 flaws have been found and patched.
- Multiple vulnerabilities have been found in Mailtraq.
- eWeek has reported a new kind of Trojan and warns that initial samples indicate that a possible mass attack is planned.
- Microsoft says that MSN Messenger version 6, the beta version of the company's IM application, is being made available on various unauthorized Web sites. The company warns that it should not be used because the code is not stable and was never intended for general release, even for testing purposes.
- McAfee has issued an alert for a new Trojan that includes a driver for the Linux Kernel Intrusion System (Linux/Kis).