- IE

                                                     DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  IE

SYSTEMS AFFECTED

  Windows '95, Internet Explorer v3.01
  

PROBLEM


    A newly (at this momemnt)  discovered third bug exploits the  fact
    that  ".isp"  script  files  may  be  downloaded  and  executed by
    Internet Explorer.  This is  essentially just  another permutation
    of  the  "CyberSnot"  bug  (see  Internet  Explorer #1 on Security
    Bugware).  Author's text can be found at following address:

        http://web.mit.edu/crioux/www/ie/index.html#exploits

    Text used here is part of  author's original text.  This has  been
    discovered by Chris Rioux

    This hole  allows a  malicious web  page to  automatically run any
    program  on  the  user's  hard  drive,  which  means that users of
    Internet  Explorer  could  have   their  hard  drives   completely
    deleted,  their  private  information  stolen,  or  their computer
    infected with a virus merely by looking at a web page.

    This bug  works on  a similar  principle as  the bug discovered at
    WPI.   However, instead  of using  .lnk files  or .url files, this
    bug exploits the fact that other files can also be downloaded  and
    automatically executed without prompting the user for  permission.
    This bug is  not fixed by  the security patch  which Microsoft put
    out for the WPI bug.

    This  bug  has  thus  far  only  been  verified  on the Windows 95
    version of Internet Explorer. This  bug does not appear to  affect
    Windows NT (any service pack/version), in its usual configuration.

    On page mentioned above you can find simple demo exploits which:

        * Download a remote file (think about virus)
        * Create and delete directories (what about your HD)
        * Running a local file (familiar with deltree.exe)

    This bug only requires that a user look at a particular web  page.
    The user does not need to click on any "disguised hyperlinks"  for
    the bug to  be exploited. Our  example exploits demonstrate  this.
    Last time,  it was  mis-reported that  users needed  to click on a
    disguised  hyperlink  to  activate  the  exploit.  In fact, with a
    little more programming  it can be  made automatic so  that a user
    only needs to look at a page (as it is with our bug).



EXPLOIT

  

SOLUTION


    Even  this  is  essentially   just  another  permutation  of   the
    "CyberSnot" bug, however  the patch released  by Microsoft to  fix
    the "CyberSnot" bug does not fix this bug.  Anyway, Microsoft  has
    released their official patch to this bug:

        http://www.microsoft.com/ie/security/download.htm!

    There is also Third-Party Bugfix for those who will not apply
    patch from MS:

        * Start up Internet Explorer
        * Go to the "View" menu and choose "Options..."
        * Click on the "Programs" tab
        * In the "Viewers" section, click on the button labeled  "File
          Types..."
        * Scroll  down to  the "Internet  Communication Settings" list
          item, and highlight it.
        * Click on the "Edit..." button.
        * Check the box at  the bottom of the window  labeled "Confirm
          open after download"
        * Click OK on all of the windows.

    That should cause the browser  to prompt the user for  what he/she
    wishes to do with .ISP files.