Source:
http://www.wired.com/news/print/0,1294,51899,00.html
Another Big MS Browser Hole Found
By Michelle Delio
11:41 a.m. April 17, 2002 PDT
Internet Explorer users who click their browser's back button open the
Windows operating system to a malicious hack attack.
When users hit the back button on Explorer's toolbar, the browser's
security settings for the "Internet" zone can be bypassed, and
the browser will automatically execute malicious code embedded into a
site's URL.
The problem is caused by what can politely be described as a design flaw
in Explorer. When a Web page fails to load, Explorer displays a standard
error message. This message is set to operate in the "Local Computer
Zone" security setting, which by default allows scripting to run
automatically.
Any code inserted in the original URL is handled as if it comes from the
same security zone as the last URL viewed. So a URL containing malicious
JavaScript that might be blocked by default if a user visits the site
directly, will be automatically triggered when the user presses the back
button.
Many users hit the back button when a Web page fails to load in a timely
manner.
The exploit was discovered by Andreas Sandblad, a Swedish engineering
student. Sandblad said he notified Microsoft of the problem last
November. He provided additional information to Microsoft on March 25.
"Originally, I was only able to produce the same result when the
user pressed the refresh button," Sandblad said in an e-mail.
"I contacted Microsoft about it in November and they confirmed the
problem. On Feb. 28, I received mail from them saying that they didn't
think the problem was serious enough to fix."
"Later, I e-mailed Microsoft with additional information, describing
how it was possible to trigger the same flaw with the back button. A
couple of days later I received a mail explaining that they might fix the
problem in a future service pack. I told them that I was planning to go
public with the vulnerability but that I could wait if they could
convince me that they were going to fix the issue in reasonable time.
They didn't respond at all."
A Microsoft spokesman said the Microsoft Security Response Center
thoroughly investigated Sandblad's report "and determined that
because the proposed exploit scenario is dependent upon specific user
interaction as a prerequisite, it does not meet our definition of a
security vulnerability."
"The proposed exploit scenario requires the attacker to compel the
users to click on the back button while visiting a malicious website.
This scenario does not constitute a viable threat to users following
standard best practices," the spokesman added.
Some users were surprised to find out that Microsoft believes that using
the back button is not a standard, best security practice.
"Why the hell did they put a back button into the browser toolbar if
they didn't want me to use it?" Martin Montez, a stockbroker,
wondered. "I'm one of the few people in the world who actually reads
the manuals and there's no warning anywhere that using the back button
could compromise your system."
Microsoft's spokesman said that the company "remains vigilant in our
commitment to keeping users information safe and will be addressing this
issue in an upcoming release."
Sandblad said he didn't discover the exploit by accident.
"I have been researching issues regarding the JavaScript protocol
for a long time and I found that using the history list together with the
back button was a nice way of exploiting it. Often you find flaws that
are hard to take advantage of. Mostly, too much user interaction is
needed. This one is easy."
Sandblad tested the exploit with Internet Explorer 6.0 on Windows 2000
and XP systems. Further tests by Wired News showed that the exploit also
works with various combinations of Internet Explorer 6.0 and 5.5 on
computers running Windows 2000, NT 5.0, XP and 98.
The exploit does not work on Macs with current versions of Explorer, or
in Mozilla or Opera browsers. Some tested versions of Netscape returned a
JavaScript error and crashed.
Some antiviral programs, such as McAfee and F-Secure, were able to block
the exploit, and also displayed a "Trojan" or "Code
Event" alert.
A Slashdot reader posted a test that allows users to see if their system
is vulnerable to the exploit.
Sandblad posted details of the exploit on the BugTraq security mailing
list on Wednesday.
In his post, Sandblad suggested the usual fix for browser woes; disable
active scripting. He also noted that users could choose never to use the
back button.
Programmer Mikal Zabor also suggested that Windows users, those who
"must run Explorer," should consider installing the Windows
operating system anywhere but their main (C) drive.
"Many exploits assume things about your system. They assume you're
running Microsoft products, and they assume your system is on the C drive
with the default install. If you move the system off the main drive, or
set up partitions, you make it harder for malicious hackers."
Sandblad also said he is still waiting for Microsoft to fix the last
vulnerability he reported to the company.
"The patch they released in the bulletin MS02-015 'Cookie-based
Script Execution' only fixed part of the problem," Sandblad said.
Edward ><+>
If you have fifty problems and one of them is government, you have only
one problem.
http://www.global-connector.com/
http://groups.yahoo.com/group/reality_pump/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
