Published:
06 March 1997
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-97.032 -- Microsoft Internet Explorer Vulnerability
7 March 1997
===========================================================================
CERT-NL has released the following advisory concerning a vulnerability in
Microsoft Internet Explorer versions 3.01 and earlier for Windows 95 and
Windows NT.
This following security bulletin is provided as a service to AUSCERT's
members. As AUSCERT did not write this document, AUSCERT has had no
control over its content. As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.
Contact information for CERT-NL is included in the Security Bulletin below.
If you have any questions or need further information, please contact them
directly.
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
- --------------------------BEGIN INCLUDED TEXT--------------------
===============================================================================
Security Advisory CERT-NL
===============================================================================
Author/Source : Rene Ritzen Index : S-97-17
Distribution : World Page :
Classification: External Version:
Subject : Microsoft Internet Explorer Vulnerability Date : 05-mar-97
===============================================================================
By courtesy of web-exposed information from Paul Greene, Geoffrey Elliott
& Brian Morin, checks by Jorg Bosman of the SURFnet Expertise Centre (SEC),
and public confirmation by Microsoft,
CERT-NL passes on information on a vulnerability in Microsoft Internet
Explorer version 3.01 and earlier for Windows 95 and Windows NT.
Microsoft Internet Explorer will execute ".LNK" and ".URL" files appearing on
webpages - this execution can result in many things up to your hard disk being
deleted. Having tweaked Internet Explorer to its highest security level,
including having excluded JAVA and ActiveX, *does not help*.
Microsoft published a bug-fix. We recommend to either install this bug-fix, or
*not use* Internet Explorer.
Details and fix information follow below.
===============================================================================
I. DETAILS
Quote from Greene, Elliott & Morin
<http://http://www.cybersnot.com/iebug.html> :
[BEGIN QUOTE]
Internet Explorer Bug 2/27/97 (Version 3.0 (4.70.1155))
Microsoft Internet Explorer v3.01 (and earlier?) has a serious bug
which allows web page writers to use ".LNK" and ".URL" files to run
programs on a remote computer. This bug is particularly damaging
because it uses NO ActiveX and works even when Internet Explorer is
set to its highest security level.
It was tested on Microsoft Internet Explorer Version 3.0 (4.70.1155)
running Windows 95. This demo assumes that Windows is installed in
"C:WINDOWS". Windows 95 DOES NOT PROMPT BEFORE EXECUTING THESE FILES.
.URL files are WORSE than .LNK files because .URLs work in both
Windows 95 and Windows NT 4.0 (.LNK's only work in Windows 95).
.URL files present a possibly greater danger because they can be
easily created by server side scripts to meet the specific settings
of a user's system. [...]
The "shortcuts" can be set to be minimized during execution which
means that users may not even be aware that a program has been started.
Microsoft's implementation of shortcuts becomes a serious concern if
a webpage can tell Internet Explorer to refresh to an executable.
Or worse, client side scripts (Java, JavaScript, or VBScript) can use the
the Explorer object to transfer a BATCH file to the target machine
and then META REFRESH to that BATCH file to execute the rogue
command in that file.
The following table outlines which areas and users each shortcut
type effects:
File | Windows| Windows| Execute| Command | Searches|
Type | 95 | NT | Apps | Line Args| Path |
| | | | Allowed | |
======================================================
.LNK | Yes | No | Yes | Yes | No |
------------------------------------------------------
.URL | Yes | Yes | Yes | No | Yes |
======================================================
Security Comparision .URL vs .LNK
Naturally, the files must exist on the remote machine to be properly
executed. But, Windows 95 comes with a variety of potentially
damaging programs which can easily be executed.
[...like starting Windows Calculator, or deleting directories...]
This bug can be used to wreak havoc on a remote user's machine.
[...]
[END QUOTE]
II. FIX INFORMATION
Microsoft has released a security fix for Microsoft Internet Explorer
version 3.01 (english version) which can be found at
http://www.microsoft.com/ie/security/update.htm
Fixes for Microsoft Internet Explorer 3.0 for Windows 95 and Windows NT
4.0 will become available within the next 24 hours.
Fixes for the International versions will follow in the next few weeks.
After installing the fix Internet Explorer offers the user a choice
to either run the .LNK or .URL file or to store it on the local disk.
In the opinion of CERT-NL this fix is not complete. The user is still
not able to check in advance if the requested .LNK or .URL is safe to
run or to download.
However CERT-NL recommends that users limit the exploitation of this
vulnerability by immediately installing the Microsoft security fix and
still check the files they download before they execute them.
============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers.
SURFnet is the Dutch network for educational, research and related institutes.
CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST).
All CERT-NL material is available under:
http://www.surfnet.nl/surfnet/security/cert-nl.html
ftp://ftp.surfnet.nl/surfnet/net-security
In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).
CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
Email: cert-nl@surfnet.nl
Phone: +31 302 305 305
Fax: +31 302 305 329
Snailmail: SURFnet bv
Attn. CERT-NL
P.O. Box 19035
============================================================================
- --------------------------END INCLUDED TEXT--------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBMyAziih9+71yA2DNAQHAfgP+OhHFZioTYK/LV9CKMxoH4Ngsdxwu6ign
D8zVFoDiVKEKsSxUKrmmQcAkW7jeaqtbv0+K/wqSyNBvRlp8mwPL+8J+ViJNojpo
Vk4WyfL1gK63xh6hQroXiLfyYATaInCgrf+SHG+BpD3ncH0GflTFxPOFwkkb4ihw
3Ti5PzAR9h8=
=x2OA
-----END PGP SIGNATURE-----