Operating System:


06 March 1997

Protect yourself against future threats.


              AUSCERT External Security Bulletin Redistribution

           ESB-97.032 -- Microsoft Internet Explorer Vulnerability
                              7 March 1997


CERT-NL has released the following advisory concerning a vulnerability in
Microsoft Internet Explorer versions 3.01 and earlier for Windows 95 and
Windows NT.

This following security bulletin is provided as a service to AUSCERT's
members.  As AUSCERT did not write this document, AUSCERT has had no
control over its content.  As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.

Contact information for CERT-NL is included in the Security Bulletin below.
If you have any questions or need further information, please contact them

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 4477
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
	AUSCERT personnel answer during Queensland business hours
	which are GMT+10:00 (AEST).
	On call after hours for emergencies.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Advisory                                                       CERT-NL
Author/Source : Rene Ritzen                                 Index  :    S-97-17
Distribution  : World                                       Page   :
Classification: External                                    Version:
Subject       : Microsoft Internet Explorer Vulnerability   Date   :  05-mar-97

By courtesy of web-exposed information from Paul Greene, Geoffrey Elliott 
& Brian Morin, checks by Jorg Bosman of the SURFnet Expertise Centre (SEC), 
and public confirmation by Microsoft,
CERT-NL passes on information on a vulnerability in Microsoft Internet 
Explorer version 3.01 and earlier for Windows 95 and Windows NT.

Microsoft Internet Explorer will execute ".LNK" and ".URL" files appearing on 
webpages - this execution can result in many things up to your hard disk being 
deleted. Having tweaked Internet Explorer to its highest security level, 
including having excluded JAVA and ActiveX, *does not help*.

Microsoft published a bug-fix. We recommend to either install this bug-fix, or 
*not use* Internet Explorer. 

Details and fix information follow below.



Quote from Greene, Elliott & Morin 
<http://http://www.cybersnot.com/iebug.html> :


	Internet Explorer Bug 2/27/97 (Version 3.0 (4.70.1155))

	Microsoft Internet Explorer v3.01 (and earlier?) has a serious bug 
	which allows web page writers to use ".LNK" and ".URL" files to run 
	programs on a remote computer. This bug is particularly damaging
	because it uses NO ActiveX and works even when Internet Explorer is 
	set to its highest security level.
	It was tested on Microsoft Internet Explorer Version 3.0 (4.70.1155) 
	running Windows 95. This demo assumes that Windows is installed in

	.URL files are WORSE than .LNK files because .URLs work in both 
	Windows 95 and Windows NT 4.0 (.LNK's only work in Windows 95). 
	.URL files present a possibly greater danger because they can be 
	easily created by server side scripts to meet the specific settings 
	of a user's system. [...]

	The "shortcuts" can be set to be minimized during execution which 
	means that users may not even be aware that a program has been started.
	Microsoft's implementation of shortcuts becomes a serious concern if 
	a webpage can tell Internet Explorer to refresh to an executable.
	Or worse, client side scripts (Java, JavaScript, or VBScript) can use		the 
        the Explorer object to transfer a BATCH file to the target machine 
	and then META REFRESH to that BATCH file to execute the rogue 
	command in that file.

	The following table outlines which areas and users each shortcut 
	type effects:

            File | Windows| Windows| Execute| Command  | Searches|
            Type |   95   |   NT   |  Apps  | Line Args| Path    |
                 |        |        |        |  Allowed |         |
            .LNK |   Yes  |   No   |   Yes  |   Yes    |  No     |
            .URL |   Yes  |   Yes  |   Yes  |   No     |  Yes    |
                        Security Comparision .URL vs .LNK

	Naturally, the files must exist on the remote machine to be properly
	executed. But, Windows 95 comes with a variety of potentially 
	damaging programs which can easily be executed. 
	[...like starting Windows Calculator, or deleting directories...]

 	This bug can be used to wreak havoc on a remote user's machine.



    Microsoft has released a security fix for Microsoft Internet Explorer
    version 3.01 (english version) which can be found at


    Fixes for Microsoft Internet Explorer 3.0 for Windows 95 and Windows NT
    4.0 will become available within the next 24 hours.
    Fixes for the International versions will follow in the next few weeks.

    After installing the fix Internet Explorer offers the user a choice
    to either run the .LNK or .URL file or to store it on the local disk.

    In the opinion of CERT-NL this fix is not complete. The user is still
    not able to check in advance if the requested .LNK or .URL is safe to
    run or to download.
    However CERT-NL recommends that users limit the exploitation of this
    vulnerability by immediately installing the Microsoft security fix and
    still check the files they download before they execute them.

CERT-NL is the Computer Emergency Response Team for SURFnet customers.
SURFnet is the Dutch network for educational, research and related institutes.
CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
   Email:     cert-nl@surfnet.nl
   Phone:     +31 302 305 305
   Fax:       +31 302 305 329
   Snailmail: SURFnet bv
   Attn. CERT-NL
   P.O. Box 19035

- --------------------------END INCLUDED TEXT--------------------

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key