[tomato] SECURITY ALERT - IE 5 HAS SERIOUS SECURITY FLAW!
Maria (Tomato@GlobalGarden.com)
Sun, 29 Aug 1999 19:45:17 -0400
Some hackers search for security holes in order to exploit them; others do
it for the sheer intellectual challenge. The latter is true in the case of
Bulgarian hacker Georgi Guninski, who has repeatedly exposed dangerous
security holes in Microsoft products. Guninski's latest discovery -- a
treacherous design flaw in Internet Explorer 5.0 -- is perhaps the most
serious ever. It allows anyone with a Web page to take over your computer
system via a few simple lines of text within the HTML (hypertext markup
language) code that comprises the page. If you so much as visit the page,
your system may be subject to the exploit. As if this weren't bad enough,
hostile HTML code can also be included in an e-mail message. This is
possible because many e-mail programs, including Outlook Express, Outlook,
Eudora Lite, and Eudora Pro, invoke IE5 "behind the scenes" to display
e-mail that contains HTML code. So, even if you are not using IE5 for your
usual Web browsing, you may be susceptible. Finally, the exploit can be
triggered if you read Internet newsgroups with IE5, because -- as with
e-mail -- a public message posted to one of these groups can contain the
hostile HTML code that compromises your system. ActiveX-ploit Guninski's
discovery involves an ActiveX control, included with IE5, which is designed
to create "scriptlets" -- small programs that run on the user's machine
when he or she views a Web page or e-mail message. (The control is called
"Object for constructing type libraries for scriptlets".) Unfortunately,
the ActiveX control has free access to the user's file system, and can
easily be made to run amok, overwriting vital system files or planting
Trojan Horse programs within the system. Because Windows 95, Windows 98,
and Windows NT systems are all susceptible, the hole allows anyone with a
Web page to plant malicious programs such as Back Orifice or Back Orifice
2000 on the system, invisibly taking it over. Guninski's explanation of the
hole, and the ways in which it can be abused, can be found at
http://www.nat.bg/~joro/scrtlb.html. ActiveX, a scheme used by Microsoft to
create software "components" that can be run by other programs, has been
critiqued by computer security experts because it lacks safeguards against
abuse by malicious hackers. Protect Yourself Since Microsoft has not posted
a patch or even an advisory about the Guninski ActiveX scripting hole,
users must take steps themselves to prevent their systems from being
exploited. A partial solution is to run a different browser, such as
Netscape Navigator (http://www.netscape.com) or Opera
(http://www.operasoftware.com). (Opera is gaining in popularity because,
unlike Netscape, it does not flash distracting advertisements at the user
while files are being downloaded or divert the user to Netscape's search
pages.) However, because IE5 is very tightly "wired" into Windows 98, and
may pop up unexpectedly or be invoked by third-party programs such as
Quicken, TurboTax, or Eudora, it is also important to take measures to
disable the ActiveX feature that causes the vulnerability. The best ways to
do this are as follows: (1) Change the default security setting for the
Active Desktop's "Internet Zone from "medium" to "high." (2) Disable the
option "Script ActiveX controls marked safe for scripting." (3) Disable
IE's Active Scripting feature. (4) Disable all ActiveX controls and
plug-ins. It is recommended that users take not one but all of these steps
to protect themselves. Microsoft has recently been embarrassed by other
security holes, including one involving a security flaw in its Java Virtual
Machine. At this writing, Microsoft has posted a security advisory
concerning the JVM bug and has published a patch
<http://www.microsoft.com/security/bulletins/ms99-031.asp> for it. However,
it has not yet publicly addressed Guninski's ActiveX scripting hole,
leaving users at risk of attacks.