Forwarded From: phreak moi <hackerelite@deathsdoor.com>
http://www.wired.com/news/news/technology/story/15530.html
Privacy Bug Rash Spreads to IE
by Chris Oakes
12:10 p.m. 9.Oct.98.PDT
A security hole in the latest version of Internet Explorer could deliver
your private computer files to the wrong hands.
The bug was uncovered by Juan Carlos García Cuartango, a Spanish Web
developer. It apparently allows code on a malicious Web page to steal
virtually any file off a user's hard disk. Cuartango posted a description
of the problem earlier this week, which only attracted the attention of
browser and email-security gurus when it hit a mailing list on Thursday
evening.
A spokeswoman for Microsoft told Wired News late Friday that the company
has confirmed the problem and is working to correct it. She could not say
when a fix would be available.
This time, it's Microsoft that takes the fall. Two recently discovered
bugs affected only Netscape's Navigator browser.
Cuartango could be reached for comment.
"This [security threat] is probably the worst I've seen because it allows
you to upload an arbitrary file," said Richard Smith of Phar Lap Software.
Smith tested the bug and found that it causes Internet Explorer 4.01 to
upload a file when a browser visits a malicious Web site whose pages
contain a simple, but potent, set of JavaScript instructions.
The person writing and posting the script needs to know the specific
location and name of a user's file in order to retrieve it. But Smith
notes that many sensitive files, including a person's email message
repository, are kept in a common location under a default and widely known
filename.
For example, Smith said many email applications keep users' incoming and
outgoing messages in the same disk location. It would be a simple matter,
he said, for a Web site to take the user's entire inbox.
The Windows registry file, he added, is also kept in a common location
and, if stolen, would reveal information about the location of other
files.
The vulnerability is rooted in extensions to hypertext markup language and
JavaScript that were added as part of Internet Explorer's latest Dynamic
HTML features. The bug doesn't affect versions of Explorer prior to 4.0,
Smith said.
The vulnerable feature allows sites to include an HTML form on their Web
page that will prompt a user to upload a file from the computer to the Web
site.
Cuartango's site said that Microsoft implemented the feature so that only
the user can enter the name of the file to be uploaded. Microsoft
explicitly prevented JavaScripts -- basically sections of advanced code --
from being able to modify the contents of the filename field.
However, Microsoft programmers overlooked a simple workaround, Cuartango
says. The information can be entered by a script by simply using common
"copy" and "paste" commands.
Though a script cannot enter file data, it is allowed to carry out the
pasting function. Therefore, a script can use the function to simply
"paste" in the filename, and thereby upload the file.
Though Microsoft clearly made an effort to prevent such an exploit, Smith
said that companies need to devote more effort to assessing all possible
vulnerabilities when implementing new features.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Fri Oct 9 21:06:13 1998