DATE: COMMAND SOURCE: AUTHOR: IE SYSTEMS AFFECTED Windows '95, Internet Explorer v3.01 PROBLEM A newly (at this momemnt) discovered third bug exploits the fact that ".isp" script files may be downloaded and executed by Internet Explorer. This is essentially just another permutation of the "CyberSnot" bug (see Internet Explorer #1 on Security Bugware). Author's text can be found at following address: http://web.mit.edu/crioux/www/ie/index.html#exploits Text used here is part of author's original text. This has been discovered by Chris Rioux This hole allows a malicious web page to automatically run any program on the user's hard drive, which means that users of Internet Explorer could have their hard drives completely deleted, their private information stolen, or their computer infected with a virus merely by looking at a web page. This bug works on a similar principle as the bug discovered at WPI. However, instead of using .lnk files or .url files, this bug exploits the fact that other files can also be downloaded and automatically executed without prompting the user for permission. This bug is not fixed by the security patch which Microsoft put out for the WPI bug. This bug has thus far only been verified on the Windows 95 version of Internet Explorer. This bug does not appear to affect Windows NT (any service pack/version), in its usual configuration. On page mentioned above you can find simple demo exploits which: * Download a remote file (think about virus) * Create and delete directories (what about your HD) * Running a local file (familiar with deltree.exe) This bug only requires that a user look at a particular web page. The user does not need to click on any "disguised hyperlinks" for the bug to be exploited. Our example exploits demonstrate this. Last time, it was mis-reported that users needed to click on a disguised hyperlink to activate the exploit. In fact, with a little more programming it can be made automatic so that a user only needs to look at a page (as it is with our bug). EXPLOIT SOLUTION Even this is essentially just another permutation of the "CyberSnot" bug, however the patch released by Microsoft to fix the "CyberSnot" bug does not fix this bug. Anyway, Microsoft has released their official patch to this bug: http://www.microsoft.com/ie/security/download.htm! There is also Third-Party Bugfix for those who will not apply patch from MS: * Start up Internet Explorer * Go to the "View" menu and choose "Options..." * Click on the "Programs" tab * In the "Viewers" section, click on the button labeled "File Types..." * Scroll down to the "Internet Communication Settings" list item, and highlight it. * Click on the "Edit..." button. * Check the box at the bottom of the window labeled "Confirm open after download" * Click OK on all of the windows. That should cause the browser to prompt the user for what he/she wishes to do with .ISP files.