| GuardDog Security | Information Alert: Internet Explorer's 3 Holes |
10/11/01 -
INFORMATION ALERT
AN EMERGING ISSUE WITH:
MICROSOFT INTERNET EXPLORER 5.01, 5.5 and 6
SEVERITY:
Medium
DATE:
October 11, 2001
SUMMARY:
On May 10, Microsoft released a patch for multiple versions
of Internet Explorer that corrects three new vulnerabilities
in the popular Web browser. Using these vulnerabilities,
hackers can reduce IE's security features for external Web
sites, send commands to Web sites that appear to come from
you, or send malicious code to your system that can execute
automatically. There is no direct impact on WatchGuard
products. System administrators are advised to download this
patch and apply it to all systems using these versions of IE
as soon as is practical.
EXPOSURE:
The three new vulnerabilities in Internet Explorer addressed
in this patch are:
1) Security Zones, a feature in IE, enables different levels
of user-defined security for Web sites depending on their
location. IE considers any IP address within your network
to be within the Intranet Zone and, thus, imposes less
security restrictions to those sites than it does to the
Internet Zone. Security researcher Michiel Kikkert found
that when an external Web site is accessed using a
malformed dotless IP address, IE will mistakenly consider
that site to be in the Intranet Zone, thereby imposing
less security. A dotless IP address, also known as a
DWORD IP address, is an alternate way to express an
Internet address (detailed in Kikkert's security bulletin
1&mid=219831&start=2001-10-08&end=2001-10-14>) that is
little known publicly, but familiar to programmers.
Hackers could exploit this vulnerability by getting you
to click on the malformed link, either by sending it to
you in e-mail or posting it on a Web site. The malformed
link would lead to a site where the attacker may be able
to deliver a malicious payload because your browser will
trust the site as if it resides inside your Intranet.
IE's default Intranet settings should not allow any
destructive actions to occur, but if you've lowered these
settings, this exploit could allow any action on your
machine, including reading a file, altering data, or
placing Trojan code. The potential risk depends upon a
user's individual security settings for his or her
Intranet Zone. You can view or change the Intranet Zone's
settings in IE by clicking Tools => Internet Options =>
Security Tab => Intranet Settings icon.
2) The second vulnerability enables a hacker to use a
specially-crafted Web link so that clicking on it will
both send you to another Web site, and add HTTP requests
that appear to originate from you. This malformed URL
could come to you in a Web page or in an e-mail. The
attacker would tailor the HTTP requests to fit the site
the link sends you to. In theory, anything you can do via
a Web-based service, the hacker could do (e. g., selling
your stock, or deleting your Web-based e-mails). In
actuality, the hacker needs a lot of knowledge about you,
the site in question, and the stuff you have access to on
that site, to succeed with this difficult exploit.
3) The third vulnerability works only if you have installed
the telnet client, Services for Unix v2.0. In this
exploit, a hacker can form a URL that, when clicked on,
will also invoke a telnet connection and initiate
logging, saving the "log" to the filename and directory
of the hacker's choosing. Since telnet logging simply
records, verbatim, characters sent via telnet, the hacker
could send malicious code that telnet saves as a "log
file," but is really an executable. The code could auto-
execute during the next reboot and install Trojan code on
your machines.
SOLUTION PATH:
* All administrators who run Internet Explorer 5.01, 5.5 and
6 should download and install Microsoft's patch
//www.microsoft.com/windows/ie/downloads/critical/q306121/
default.asp>. This is even more important if you also run
Services for Unix v. 2.0.
A Guarddog Firewall configured properly with an HTTP-
Proxy could help protect you against malicious content
that the Internet Zone Spoofing vulnerability opens you
to. You could also use the Guarddog to block outgoing
telnet connections, thus rendering the Telnet Invocation
Vulnerability worthless. Contact us for more information.
STATUS:
The supported patch is available on the Microsoft Web site.
|
|
