Log in

No account? Create an account
Lord Yupa

February 2010

Powered by LiveJournal.com
Danger Mouse

Serious Internet Explorer (and Outlook) Security Bug.

There's a major security problem with Internet Explorer 5.01 and 5.5. Here's the initial write up I saw:
Visit an attacker's webpage using Microsoft's browser on Microsoft's operating system, and the attacker can execute arbitrary code on your system with your full privileges. Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, so reading e-mail from an attacker (opening attachments not necessary) also gives them full access to your machine. MSIE 5.5 is vulnerable, and MSIE 5.01 is vulnerable unless you've installed Internet Explorer 5.01 Service Pack 2.

You can get full details from Microsoft, as well as a patch to fix this, here.

Basically, if you have Internet Explorer 5.01 or 5.5 installed, you need to do this as soon as possible, or risk nasty problems.

Thanks to Slashdot for the posting and to Kriptopolis for discovering this bug.


Anytime. ;-)

I've seen way too many people get bit by nasty things like this, so I always do what I can to let everyone know. ;-)

Re: Anytime. ;-)

The Windows Update page crashes IE?

Now that's just. . . I'm not even sure how to describe that. ;-)
so reading e-mail from an attacker (opening attachments not necessary) also gives them full access to your machine.
Not exactly, no.

They only get access to your computer if their code executes (which, "Good Times virus" stories to the contrary, usually takes slightly more than just reading a message to happen.) There are steps that can be taken to prevent all but the most creative and skillful of virus programmers from being able to affect your computer from doing no more than just reading email, like disabling scripting in IE and turning off the preview pane in Outlook and Outlook Express for example.

Erm. . .

Actually, yes. In this case, just viewing the e-mail is enough to activate malicious code. You do not have to view the attachment.

This is a verified bug in how Internet Explorer/Outlook handles MIME types. Certain "unknown" MIME attachments are automatically processed, and if someone attaches a malicious binary, makes a minor edit to the MIME header, you are screwed.

Disabling scripting, while always a good idea, will not solve this. Additionally, this can be exploited without even reading a malicious e-mail, by posting a properly formatted HTML e-mail in the right way on a web page and simply getting someone to view the web page with Internet Explorer.

If you have further questions about what this bug can, or cannot do, I strongly urge you to examine the URL I posted, which is Microsoft's security bulletin. Particularly the part that says:
If an HTML mail contains an executable attachment whose MIME type is incorrectly given as one of several unusual types, a flaw in IE will cause the attachment to be executed without displaying a warning dialogue.
I assure you that I'm very familiar with computer and network security, and capable of discerning a hoax when I see one.

Additionaly, I also assure you that this is very real.

Re: Erm. . .

Disabling scripting was just an example of one thing that can be done to prevent malicious code from killing your system.

In the case of this vulnerability, they listed this as a way to block it:
The vulnerability could not be exploited if File Downloads have been disabled in the Security Zone in which the e-mail is rendered. This is not a default setting in any zone, however.
Not that I don't agree that installing the update is a Good Thing, just that I felt a need to point out that some precautions will do the trick without that being done.

And in this case, disabling File Downloads in your OE security zone would be the trick in question.

Re: Erm. . .

I'm not an Outlook user at all, so I can't comment for sure, but the understanding I had was that disabling file downloads would only protect you from exploitation via web page, not via malicious e-mail.

Additionally, looking back over it, I apologise if my response earlier seemed unfairly harsh. I had to deal with some fool at work who spent an hour trying to tell me that this whole thing was just another reincarnation of the "Good Times" hoax, and that put me in a rather bad mood about the whole thing.

As bad as people spreading virus hoaxes are, having legitimate problems get ignored due to someone's ignorance was really frustrating.

Of course, when the "official" company-wide warning came out a few hours later, he finally admitted that there *might* be *some* validity to it. ;-)

Re: Erm. . .

(And I did write "usually," rather than "always"...)