[Am-info] Another Big MS Browser Hole Found

[Fred A. Miller]

http://www.wired.com/news/technology/0,1282,51899,00.html

Another Big MS Browser Hole Found
By Michelle Delio

11:41 a.m. April 17, 2002 PDT
Internet Explorer users who click their browser's back
button open the Windows operating system to a
malicious hack attack.

When users hit the back button on Explorer's toolbar,
the browser's security settings for the "Internet"
zone can be bypassed, and the browser will
automatically execute malicious code embedded into a
site's URL.

The problem is caused by what can politely be
described as a design flaw in Explorer. When a Web
page fails to load, Explorer displays a standard error
message. This message is set to operate in the "Local
Computer Zone" security setting, which by default
allows scripting to run automatically.

Any code inserted in the original URL is handled as if
it comes from the same security zone as the last URL
viewed. So a URL containing malicious JavaScript that
might be blocked by default if a user visits the site
directly, will be automatically triggered when the
user presses the back button.

Many users hit the back button when a Web page fails
to load in a timely manner.

The exploit was discovered by Andreas Sandblad, a
Swedish engineering student. Sandblad said he notified
Microsoft of the problem last November. He provided
additional information to Microsoft on March 25.

"Originally, I was only able to produce the same
result when the user pressed the refresh button,"
Sandblad said in an e-mail. "I contacted Microsoft
about it in November and they confirmed the problem.
On Feb. 28, I received mail from them saying that they
didn't think the problem was serious enough to fix."

"Later, I e-mailed Microsoft with additional
information, describing how it was possible to trigger
the same flaw with the back button. A couple of days
later I received a mail explaining that they might fix
the problem in a future service pack. I told them that
I was planning to go public with the vulnerability but
that I could wait if they could convince me that they
were going to fix the issue in reasonable time. They
didn't respond at all."

A Microsoft spokesman said the Microsoft Security
Response Center thoroughly investigated Sandblad's
report "and determined that because the proposed
exploit scenario is dependent upon specific user
interaction as a prerequisite, it does not meet our
definition of a security vulnerability."

"The proposed exploit scenario requires the attacker
to compel the users to click on the back button while
visiting a malicious website. This scenario does not
constitute a viable threat to users following standard
best practices," the spokesman added.

Some users were surprised to find out that Microsoft
believes that using the back button is not a standard,
best security practice.

"Why the hell did they put a back button into the
browser toolbar if they didn't want me to use it?"
Martin Montez, a stockbroker, wondered. "I'm one of
the few people in the world who actually reads the
manuals and there's no warning anywhere that using the
back button could compromise your system."

Microsoft's spokesman said that the company "remains
vigilant in our commitment to keeping users
information safe and will be addressing this issue in
an upcoming release."

Sandblad said he didn't discover the exploit by
accident.

"I have been researching issues regarding the
JavaScript protocol for a long time and I found that
using the history list together with the back button
was a nice way of exploiting it. Often you find flaws
that are hard to take advantage of. Mostly, too much
user interaction is needed. This one is easy."

Sandblad tested the exploit with Internet Explorer 6.0
on Windows 2000 and XP systems. Further tests by Wired
News showed that the exploit also works with various
combinations of Internet Explorer 6.0 and 5.5 on
computers running Windows 2000, NT 5.0, XP and 98.

The exploit does not work on Macs with current
versions of Explorer, or in Mozilla or Opera browsers.
Some tested versions of Netscape returned a JavaScript
error and crashed.

(page 2)

Some antiviral programs, such as McAfee and F-Secure,
were able to block the exploit, and also displayed a
"Trojan" or "Code Event" alert.

A Slashdot reader posted a test that allows users to
see if their system is vulnerable to the exploit.

Sandblad posted details of the exploit on the BugTraq
security mailing list on Wednesday.

In his post, Sandblad suggested the usual fix for
browser woes; disable active scripting. He also noted
that users could choose never to use the back button.

Programmer Mikal Zabor also suggested that Windows
users, those who "must run Explorer," should consider
installing the Windows operating system anywhere but
their main (C) drive.

"Many exploits assume things about your system. They
assume you're running Microsoft products, and they
assume your system is on the C drive with the default
install. If you move the system off the main drive, or
set up partitions, you make it harder for malicious
hackers."

Sandblad also said he is still waiting for Microsoft
to fix the last vulnerability he reported to the
company.

"The patch they released in the bulletin MS02-015
'Cookie-based Script Execution' only fixed part of the
problem," Sandblad said.

-- 
Fred A. Miller
Systems Administrator
Cornell Univ. Press Services
fm@cupserv.org, www.cupserv.org
--- SuSE Linux v7.3 Pro---