The Ongoing Litany of Virii, Bugs, Worms and Other Nasties

 
Dec 13, 1999
11/1/99

IE5's 'Download Behavior' Lets Your Webmaster Read Files on Your PC

As reported in many of the online electronic newswires, Internet Explorer 5.0's gone "swiss cheesy" again. Remember the ImportExportFavorites security hole? That opened a hard drive to unauthorized access. Astute defenders of internet privacy, security and integrity have found a new gap that allows a threat from a new quarter. The "Download Behavior" privacy peephole leaves the user's hard drive wide open to reading and deletion by curious Webmasters. Until Microsoft provides a security patch, the only solution is to disable Active Scripting.

The very functionality that permits Microsoft IE5 to download a Web page, allows that page to use server-side redirection to execute client-code capable of accessing and then returning those files to the Web server. That's supposed to be prevented by IE's security architecture; the server shouldn't be able to access client machines because the two do not reside on the same network. But, through a security flaw in the product's "Download Behavior" function call, a malicious server could trick the client into thinking that a downloaded JavaScript or VB Script application resides on the same domain, enabling that application to access local files, with full file system access. When KeyLabs tested this design flaw, as reported by several sources, it discovered that "This is a very serious bug. The sample code used in our testing opened and then displayed our autoexec.bat file," said Ralph Decker, lab director for KeyLabs. "But this code could just as easily have accessed sensitive system files."

(KeyLabs also tested Netscape Communications'Communicator 4.61, which came up clean: Communicator does not allow remote code to execute locally, so it is able to sidestep the issue entirely.)

Microsoft has acknowledged the flaw and the privacy issues, and plans to provide a security patch. Meanwhile, disable Active Scripting as follows:

  • Within IE 5, select the Tools pull-down menu and click on Internet Options.
  • Select the Internet Zone and click on the Custom Level button.
  • Look for the Scripting heading and then select the "Disable," setting for Active scripting.
  • Click OK twice.

This will keep you safe from malicious server-side code, but also prevents you from utilizing client-side code (often, getting your e-mail). That means sites running JavaScript and VB Script to perform even most menial of such tasks may be ineffective, even failing outright.

Microsoft suggests IE5 users can add trusted Web sites one by one to their Trusted Sites Zone from the Security Tab within their Internet Options. "But without a real fix," says Decker, "users who are concerned about personal security will have to either live dangerously or find a new browser."

ZDNet's VirusWatch Leading the Way in Getting the Word Out

Last month, subscribers to ZDNet's various on-line magazine and e-mail newsletters have had front row seats to all the latest developments. A browse of their materials gleaned the following:

A Melissa-like virus was found in the Netherlands. Classified by Computer Associates as "moderately dangerous," this worm-type virus is named "Badass" and is similar to the devastating Melissa virus, with the potential to overload e-mail servers. It proliferates by using Microsoft Outlook to send an e-mail to all users in the Outlook address book. A file called BADASS.EXE is attached to the message which, when executed, displays a message box with obscene content and a "yes" and "no" button. However, the worm does not install itself on a user's system. If encountered, Computer Associates recommends deleting the file BADASS.EXE.

Melissa's alleged "daddy," former computer programmer David L. Smith, of Aberdeen, New Jersey, was arrested on April 1, 1999 on charges he created and distributed the Melissa virus -- a nasty Word macro that swamped the e-mail systems of thousands of computers around the world in late March.

Explorer.zip and Cholera are both still out there.

New outbreaks of "Cholera," the "Thursday" virus, and a Trojan horse that masquerades as a JPEG file have been going on since early September. Like the Melissa and worm ExploreZip viruses earlier this year, Cholera sends itself to e-mail addresses that it finds in address books, text, and HTML documents on infected drives. It arrives as an e-mail containing only the emoticon ":)" in the body and an attachment named Setup.exe, which looks like a standard Windows install program. Computer Associates, a New York-based company that sells antivirus software among a variety of products, classifies Cholera as a "moderate" threat.

The new 'Explore' worm, which originated in Israel, spreads through e-mail and can destroy your data. This virus replicates through Microsoft Outlook or Microsoft Exchange for e-mail, searching your system for Microsoft Word, Excel, and Powerpoint files, and destroys them, sometimes unrecoverably.

As always, be very careful about opening e-mail attachments that you aren't expecting. And you need to use updated antivirus software. ZDNet reports that Trend Micro and Network Associates both say they have a fix on their websites. The other major providers may have them as well.


Privacy | FAQ | Site Map | About | Guidelines | Contact | Advertising | What is ColdFusion?
House of Fusion | ColdFusion Jobs | Blog of Fusion | AHP Hosting