[tomato] SECURITY ALERT - IE 5 HAS SERIOUS SECURITY FLAW!

Maria (Tomato@GlobalGarden.com)
Sun, 29 Aug 1999 19:45:17 -0400

Some hackers search for security holes in order to exploit them; others do 
it for the sheer intellectual challenge. The latter is true in the case of 
Bulgarian hacker Georgi Guninski, who has repeatedly exposed dangerous 
security holes in Microsoft products. Guninski's latest discovery -- a 
treacherous design flaw in Internet Explorer 5.0 -- is perhaps the most 
serious ever. It allows anyone with a Web page to take over your computer 
system via a few simple lines of text within the HTML (hypertext markup 
language) code that comprises the page. If you so much as visit the page, 
your system may be subject to the exploit. As if this weren't bad enough, 
hostile HTML code can also be included in an e-mail message. This is 
possible because many e-mail programs, including Outlook Express, Outlook, 
Eudora Lite, and Eudora Pro, invoke IE5 "behind the scenes" to display 
e-mail that contains HTML code. So, even if you are not using IE5 for your 
usual Web browsing, you may be susceptible. Finally, the exploit can be 
triggered if you read Internet newsgroups with IE5, because -- as with 
e-mail -- a public message posted to one of these groups can contain the 
hostile HTML code that compromises your system. ActiveX-ploit Guninski's 
discovery involves an ActiveX control, included with IE5, which is designed 
to create "scriptlets" -- small programs that run on the user's machine 
when he or she views a Web page or e-mail message. (The control is called 
"Object for constructing type libraries for scriptlets".) Unfortunately, 
the ActiveX control has free access to the user's file system, and can 
easily be made to run amok, overwriting vital system files or planting 
Trojan Horse programs within the system. Because Windows 95, Windows 98, 
and Windows NT systems are all susceptible, the hole allows anyone with a 
Web page to plant malicious programs such as Back Orifice or Back Orifice 
2000 on the system, invisibly taking it over. Guninski's explanation of the 
hole, and the ways in which it can be abused, can be found at 
http://www.nat.bg/~joro/scrtlb.html. ActiveX, a scheme used by Microsoft to 
create software "components" that can be run by other programs, has been 
critiqued by computer security experts because it lacks safeguards against 
abuse by malicious hackers. Protect Yourself Since Microsoft has not posted 
a patch or even an advisory about the Guninski ActiveX scripting hole, 
users must take steps themselves to prevent their systems from being 
exploited. A partial solution is to run a different browser, such as 
Netscape Navigator (http://www.netscape.com) or Opera 
(http://www.operasoftware.com). (Opera is gaining in popularity because, 
unlike Netscape, it does not flash distracting advertisements at the user 
while files are being downloaded or divert the user to Netscape's search 
pages.) However, because IE5 is very tightly "wired" into Windows 98, and 
may pop up unexpectedly or be invoked by third-party programs such as 
Quicken, TurboTax, or Eudora, it is also important to take measures to 
disable the ActiveX feature that causes the vulnerability. The best ways to 
do this are as follows: (1) Change the default security setting for the 
Active Desktop's "Internet Zone from "medium" to "high." (2) Disable the 
option "Script ActiveX controls marked safe for scripting." (3) Disable 
IE's Active Scripting feature. (4) Disable all ActiveX controls and 
plug-ins. It is recommended that users take not one but all of these steps 
to protect themselves. Microsoft has recently been embarrassed by other 
security holes, including one involving a security flaw in its Java Virtual 
Machine. At this writing, Microsoft has posted a security advisory 
concerning the JVM bug and has published a patch 
<http://www.microsoft.com/security/bulletins/ms99-031.asp> for it. However, 
it has not yet publicly addressed Guninski's ActiveX scripting hole, 
leaving users at risk of attacks.