Bugtraq mailing list archives
Yet another Internet Explorer bug...
From: aleph1 () DFW NET (Aleph One)
Date: Thu, 6 Mar 1997 09:22:17 -0600
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime () docserver cac washington edu for more info. --------------7D7F82D96CB0A3FE4D779509 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: <Pine.SUN.3.94.970306092146.26020C () dfw dfw net> http://dec.dorm.umd.edu/index.htm Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 --------------7D7F82D96CB0A3FE4D779509 Content-Type: TEXT/PLAIN; CHARSET=us-ascii; NAME="index.htm" Content-ID: <Pine.SUN.3.94.970306092146.26020D () dfw dfw net> Content-Description: Yet another Internet Explorer bug... Last updated on 3/5/97 ---------------------------------------------------------------------------- Overview: On certain machines running Internet Explorer 3.0, an icon can be embedded within a web page. When double-clicked, this icon may run a remote application without warning. This is not the same as the ".LNK and .URL" bug discovered recently. Be very afraid. Who may be victimized: This bug only effects Internet Explorer 3.0 users (version 4.70.1215). The problem is significantly more serious if the user is on a platform with CIFS (Windows NT 4.0 with Service Pack 1 or later installed). If this is the case, the location of the malicious executable code to be run on the victim's machine could be anywhere on the Internet. If this is not the case, the location of the machine containing the code is restricted to within the scope of Windows name resolution. For example, the host must be either on the same subnet, listed in the victim's LMHOSTS file, or listed on the victim's WINS server. Examples: Working examples of this bug are provided on a separate page because Windows name resolution often forces Internet Explorer to block for 10 to 15 seconds. If this happens, just wait it out, your computer has not crashed. If you are using Internet Explorer on a machine that doesn't have CIFS, the wait period may be significantly longer in order for Windows name resolution to time out. It should be noted however that CIFS is required for these examples to function. Click here to see the Examples page. Is this related to the "other" Internet Explorer bug of a similar nature discovered by Paul Greene? No. This is not the same bug and the patch released to fix the other bug does not prevent this problem from occurring. The only similarities between the the discovery of this bug and the discovery of the other bug is that I go to a college, live in a dorm, and have friends who helped me with this page. It should also be noted that this bug is probably the result of the move to merge Internet Explorer with the Windows desktop, just as the other bug was. So how does this work? Internet Explorer enables a user to use a URL describing a remote directory. When a user clicks on such a link, they are brought to what is essentially a Windows Explorer window, but inside of Internet Explorer. If this URL is used as the basis for an <IFRAME> tag, an embedded frame can be created with what is essentially a Windows Explorer window inside. If this window is made small enough, it appears to be some sort of button, one which runs a remote program when double clicked. CIFS allows a machine to use the IP or hostname provided in the URL as a way of contacting the remote host containing the executable. New Information: * 3/5/97 7:30 pm - Microsoft contacted us and they are working on a fix. * 3/5/97 5:45 pm - Reported to work in Memphis. (thanks to anonymous) Disclaimer: I discovered a different bug in a Microsoft product a year ago, and I found that it is very bad for my own personal PR. The bug was a small and couldn't be used to gain access to a foreign computer system. I wrote about the bug in an extremely responsible way and even submitted my description of the bug as a writing sample on an interview. Nevertheless I was accused of being irresponsible, and even of being a "hacker." I'll admit that I might have been irresponsible by not letting Microsoft know about the problem ASAP, but I am NOT a hacker. Anyone who attempts to gain access to a computer without authorization is doing something dishonorable, illegal, and wrong. Period. If I am somehow made aware that someone has made use of the information on this page for a malicious purpose, I will not hesitate to alert the authorities. In light of my experiences in the past, I feel I should mention that: * I do not hold a grudge against Microsoft. I use (and love!) their products and would like to see them as bug-free as possible. * I do not have any idea (or care about) how to "crack Windows 95 screensaver passwords." For some reason I keep getting mail about this, and I just want it to stop. * Please drop me an e-mail if you reference this page. ---------------------------------------------------------------------------- Initial discovery by David Ross [Widdle Doggie Now!] Help from Dennis Cheng and Asher Kobin. Page created on 3/4/97 © 1997 Widdle Doggie. All rights reserved. --------------7D7F82D96CB0A3FE4D779509--
Current thread:
- Re: Bug in connect() for aix 4.1.4 ?, (continued)
- Re: Bug in connect() for aix 4.1.4 ? Steve Campbell (Mar 05)
- I.I.S and Security - No authentication of scripts. daragh_malone () TELECOM IE (Mar 05)
- Re: I.I.S and Security - No authentication of scripts. Greg Haverkamp (Mar 06)
- 4.4BSD NFS File Handles David Sacerdote (Mar 06)
- 4.4BSD NFS File Handles Aleph One (Mar 06)
- I.I.S 3.0: Another slight security concern ? daragh_malone () TELECOM IE (Mar 07)
- COLD FUSION BUG Bill Staples (Mar 07)
- Re: Bug in connect() for aix 4.1.4 ? Rikhardur Egilsson (Mar 05)
- Re: Bug in connect() for aix 4.1.4 ? Frank Hofmann (Mar 06)
- Re: Bug in connect() for aix 4.1.4 ? Ollivier Robert (Mar 06)
- Yet another Internet Explorer bug... Aleph One (Mar 06)
- I.I.S and Security - No authentication of scripts. daragh_malone () TELECOM IE (Mar 05)
- Re: Bug in connect() for aix 4.1.4 ? Steve Campbell (Mar 05)
- Re: Bug in connect() for aix 4.1.4 ? Steve Campbell (Mar 11)
- Re: Bug in connect() for aix 4.1.4 ? Valdis.Kletnieks () VT EDU (Mar 11)