Another Security Hole in Internet Explorer - Bug Hunter

Bulgarian bug hunter Georgi Guninski has
uncovered what he says is another serious security hole in
Microsoft's Web browser engine - a glitch that could allow a
malicious hacker to read the contents of files stored on a user's
PC.

In a post to the BugTraq mailing list Thursday, Guninski reported
that attacks using the exploit could be launched through a Web page,
tripping up unsuspecting users of Microsoft's Internet Explorer
browser, or through HTML-formatted mail delivered to users of
Microsoft's Outlook and Outlook Express e-mail application.

Guninski, a security consultant who also makes uncovering bugs his
hobby, said he found the problem in Internet Explorer/Outlook 5.5,
but that he figured it could affect earlier releases of the
software as well.

On Oct. 5, Guninski made public an IE 5.5 security hole known as
the "Virtual Machine ActiveX Component Vulnerability" that allows
hackers to create Java programs that can execute ActiveX scripting
commands unfettered by some standard ActiveX security. It meant
someone delivering such a Java applet via a Web page or by mail
could execute virtually any command on a user's system.

Microsoft released a patch for that problem on Oct. 12.

The security hole reported by Guninski Thursday also involves Java,
but does not appear to be nearly as serious.

The bug hunter said the vulnerability would allow the creator of a
Java program to read the contents of a file stored on a user's PC
drive if the hacker knew the name of the file beforehand.

Guninski said the problem is that the Microsoft browser software
(which is also invoked to display HTML-formatted mail in Outlook)
permits a malicious Web-page creator to assign a drive and
directory on the user's own machine to a parameter known as
"CODEBASE" when a Java applet is loaded in a certain way.

A Java applet can expect to be able to read files in the directory
assigned to CODEBASE. However, when communicating via the Web, that
directory is supposed to be on a server, not a user's PC.

In an example provided by Guninski, an applet compressed in a JAR
(Java archive) file can be redirected to the CODEBASE "file:///c:/"
- giving the applet's programmer read-only access to files in the
root directory of the PC drive known as "c:".

This vulnerability is akin to another hole Guninski reported Sept.
26. That glitch allows a JavaScript programmer to use that
scripting language's "GetObject" function to read known local files
simply by feeding it with an ActiveX object known as "htmlfile".

While Microsoft has not released a patch for the GetObject problem,
users may be able to protect themselves by disabling Active
Scripting.

Guninski said he notified Microsoft about his most-recent find on
Oct. 14.

A Microsoft spokesperson said the company is currently
investigating the report.

Meanwhile, Microsoft has been busy alerting those who use its IIS
(version 4 and 5) Web server software to a serious hole that allows
Web-site visitors to execute programs on those Windows NT hosts.

Known as the "Web Server Folder Traversal Vulnerability," the full
extent of the problem was only recently discovered, but it is
closely related to a security problem Microsoft addressed in early
August.

Microsoft is asking IIS administrators who have not already
installed a patch released Aug. 10 for the "File Permission
Canonicalization Vulnerability" to do so immediately.

Information on the Microsoft security patch can be found online here:
http://www.microsoft.com/technet/security/.

Guninski's security Web site is here: http://www.guninski.com/.

35 Responses to Another Security Hole in Internet Explorer - Bug Hunter

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.