Bugtraq mailing list archives
IE5 UNIX sp00ky p0st
From: NHC Research <ipfreely () NEWHACKCITY NET>
Date: Fri, 13 Oct 2000 02:08:28 -0700
"Would you like some... HOT COCOA?!" -- Monster Chiller Horror Theater -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Howdy, First, let me say that we have decided to not post an advisory on this subject since we did not discover anything new. Instead, we decided to post an informal message detailing the findings from our testing. Second, let me thank George Guninski and the other people who not only find vulnerabilities, but give great documentation and example code to work from. We could not have gotten any meaningful testing done without the contributions these people have made to the community. Last, we want to say that IE5 UNIX is a great piece of software, in relative comparison to the other web browsers availible on UNIX platforms. I highly suggest people check out IE5 UNIX once Microsoft addresses these issues. We sincerely hope this is ported to Linux soon. Now, onto the Why/How. Why? I was talking to my friend Clint, who said he only uses IE5 on Solaris because he is incredibly fed up with Netscape. This got me thinking: there have been a lot of patches against IE 5.0 on Win32, along with a couple of minor releases (IE 5.01 and IE 5.01 SP1): where are the updates for the UNIX version? The answer: There are no updates available that we could find. Communications to Microsoft provided no answers, either. How? First, I sent a message to secure@Microsoft asking two questions: 1) Are the UNIX codebases completely divergent, making them potentially susceptible to attacks the win32 version is not, and 2) If the codebases aren't completely divergent, then the UNIX versions of IE5 are most likely vulnerable to the same problems that have been reported about IE4/5 in the past few years. If that's true, why aren't fixes being supplied to UNIX users of IE? That e-mail was sent on July 13th. I recieved an immediate response that said my message had been forwarded to the IE team. After 10 days of no reply, I resent the message, requesting a reply. There was none. So, after finally getting some time to test we would like to report a "Lucky 7" collection of vulnerabilities that IE5 UNIX is vulnerable to. We feel this is enough to demonstrate our point, and we feel that spending any more time doing this would warrant being paid by Microsoft for QA work. Listed here are the BugTraq IDs, the original author, the "title" of the vulnerability, and the results of testing the vulnerability against IE5 UNIX. Note that in vulnerabilities where a file "c:\test.txt" was used, we replaced it with "/tmp/test.txt". The substitution also worked with "/etc/passwd". BugTraq ID: 1394 Original Author: http-equiv () excite com Title: Microsoft Internet Explorer and Outlook/Outlook Express Remote File Write Vulnerability Result: Locks up all running instances of IE, must be manually killed. BugTraq ID: 1311 Original Author: Georgi Guninski <joro () nat bg> Title: Microsoft IE NavigateComplete2 Cross Frame Access Vulnerability Result: same result as Win32. BugTraq ID: 1121 Original Author: Georgi Guninski <joro () nat bg> Title: MS IE 5.01 JSObject Cross-Frame Vulnerability Result: same result as Win32. BugTraq ID: 887 Original Author: Georgi Guninski <joro () nat bg> Title: Microsoft IE external.NavigateAndFind() Cross-Frame Vulnerability Result: same result as Win32. BugTraq ID: 815 Original Author: Georgi Guninski <joro () nat bg> Title: Microsoft IE5 XML HTTP Redirect Vulnerability Result: Causes "Internal Error" (crash) BugTraq ID: 722 Original Author: Georgi Guninski <joro () nat bg> Title: Microsoft IE5 Javascript URL Redirection Vulnerability Result: same result as Win32. BugTraq ID: 696 Original Author: Georgi Guninski <joro () nat bg> Title: Microsoft IE5 IFRAME Vulnerability Result: same result as Win32. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE54QA7M+WP9Eauj+URAih5AJ4ocmOy8SGXcyTXafy9eDMD/MZkjQCguncv G3e7hDlhAl4G78hQ9iuLQwY= =PF1R -----END PGP SIGNATURE-----
Current thread:
- IE5 UNIX sp00ky p0st NHC Research (Oct 13)