Re: IE5 allows executing programs

[dleblanc () MINDSPRING COM (David LeBlanc)]

Now for the detailed response...

At 09:16 PM 8/30/99 -0400, SysAdmin wrote:

> ANY Windows 98 file can be overwritten.

Sure - the OS has no concept whatsoever of securing itself from the end
user. DoSing Win98 with an attack like this is trivial.  However, it is
still a cheap, lame attack on end-users that really doesn't gain you
anything and gives people a bad day.  Maybe that's your idea of fun, but it
isn't mine.  May as well send them an executable that fdisks the hard
drive.  Probably work nearly as often, and do a lot more damage.  Put
dancing bunnies in the .exe.  People love dancing bunnies.

> I would like to note, for the record, that the vast majority of home users

For the record, this hole is a serious one.  I don't downplay the
seriousness of the issue.  I can make it do a lot more than you're thinking
about here, and a number of the obstacles you mention can be overcome
trivially.

YOU CAN GET THE USER TO EXECUTE ARBITRARY CODE.  Period.  End of story.
What you do with that code is up to you.  There is no need to delve into
the details of just how you steal the lunch money from the end users.

> Despite David
> LeBlanc et al. assurance that we could just disable Active X I'm discussing
> it because you know your poor parents are NEVER going to,

Since this is a security list, people here care about security.  One of the
things we do here is discuss work-arounds.  Most UNIX admins don't install
patches either.  Most _people_ don't install patches.  I've broken into
systems that had holes that were 10 years old.  Maybe some of the people
will read this, and say "Damn, he's right", then go click on several
buttons and poof - they aren't vulnerable any more.  Then if some
sociopathic moron DOES go off and create an e-mail virus with this as the
payload, maybe just maybe SOMEONE won't be hit by it.  I try to offer
helpful suggestions as to how to make things BETTER, given that between the
fact that security holes happen, end users are usually clueless, and
sysadmins aren't much better, most networks are a mess.  The ONLY chance
you've got against this sort of thing are automated tools to check LOTS of
systems at once so that you know where the problems are.  I deal with a
network that approaches 100,000 systems, so I know something about scale.

No, most people won't go turn it off.  They'll accept the defaults,
whatever they are.  Somewhat more of them will read about this in the news
and go get the patch.

> And, of course, what average user could EVER
> recover from this sort of damage?

They'll go get a friend who will help them reinstall, or go pay CompUSA or
something.  They might not ever figure out what got them.  Too bad you
can't get them to take a snapshot using their web cam and send it to you so
that you can see the misery on their face.

> Onto Windows NT, yes, David was correct, you can bar write access in NTFS
> and it cannot be written to. I have not invested any interest in this but I
> assume there is at least one critical system file (possibly security file)
> that he would miss and might be overwritten.

Maybe you should.  If you're not running as admin, there isn't much you can
torch off, and certainly not the SAM file.

> In fact the default for the
> Administrator or one with Administrator privileges is Full Access. Of course
> this would allow the exploit to run. The other thing to remember is that in
> very small domains the average user is generally administrator

This is true.  Far too many people run as admin.  Fortunately, this should
get better in Win2k - several changes to encourage people to run as <
admin, and make life easier if you want to change user context to go do
something.

> and remember
> this exploit can be E-Mailed!!! or mass-mailed! get my drift?

I understand that.  E-mail readers that display HTML aren't a really great
idea in my personal opinion, and I'm not using one right now.  However, I
would encourage people to set their mail reader to assume that e-mail is a
hostile site, and make the settings accordingly.  Again, just a vain hope
that maybe a few people might be more secure.  IF someone takes my
suggestion and tweaks their settings, there are whole classes of attacks
that will no longer get them.

And if you do mass mail something like that, you'll cost people a LOT of
money, and the feds will make a good effort to hunt you down and put you in
jail.  Jail is not a fun place.

> The other
> thing is that the default install for NT (especially on HP's) is FAT,

Wrong.  That could be how that manufacturer sets up _some_ of their
machines, but it isn't default for NT install.

> which
> does not allow specific file security. Anyone know a dual-booter? Maybe
> someone who doesn't even know what NTFS is? I thought so.

Most people who don't know what NTFS is are still using it if they are
running NT.

> Not bad 'huh?

Actually, it contains flaws which are trivially overcome that make it break
under a number of conditions.  Though considering what this code does, not
working could be thought of as a feature.

> This exploit needs to be realized for what it is, a very
> dangerous problem. If someone mass-mailed it to my domain I wouldn't be able
> to deal with bouncing between three offices helping EVERY single user.

It is extremely dangerous.  I'm not down-playing that point at all.  Go
tweak your settings and get your fixes.  Go around to your end-users and
tweak their settings for them.  Make a .reg file that tweaks the settings,
and get them all to run it.  Write a script that checks for the presence of
the patch, run it against all your end users, and make a list of the ones
that aren't patched.  Then go patch them.

David LeBlanc
dleblanc () mindspring com