Re: Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! - UPDATED

• Previous message: http-equiv_at_excite.com: "Re: Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! - UPDATED"
• Maybe in reply to: Marek Bialoglowy: "Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! - UPDATED"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Fri, 16 May 2003 00:01:43 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

FYI, a few people have suggested that they were unable to get their IE compromised via the methods described by Marek, and confirmed by http-equiv. I personally have tested Marek's claims and can confirm it works on fully patched IE 6.0 implementations. The only way I have been able to stop it from working is to place the site with the attacking application in the Restricted Sites zone, otherwise this works as advertised.

I will say this, however. I'm not convinced that what is being by-passed is the Trust Zone model. IE uses a registry value known as DocObject to determine what to do when certain file types are requested. That key, and not the Trust Zone model, is the determining factor, in my opinion, for IE to decide how to handle the file request. If the DocObject value is set one way, IE will prompt you to save a file. Set another way, it will execute the file (using an associated helper app if necessary.)

In my tests, the majority of request for a given file result in a dialog window saying that the file is unsafe, or, that it should be saved to disk. After enough calls, this dialog is not presented and the file is executed. To my way of thinking this is because the registry check is not being performed. I may be complete wrong, but that's how it looks to me.

To Marek's credit, it should be known that it takes some consideration of what Marek has said to fully appreciate what he's discovered. I know I didn't see the importance of his discovery from his initial posting to Bugtraq last week. On the down side, the attack won't be picked up by AV, doesn't require scripting, can't be stopped except by shutting down the system, and will work enough times to be very effective. On the up side the attacking code runs in the context of the running user, and there has to be a source host for the attacking code, which will likely be blocked quickly should the attack get used.

One good side-effect is that those people trying to find ways to make IE run something its not supposed to need no longer bother to look for such ways. Who cares about elaborate ways of making the OBJECT or CODEBASE tags invoke a program when you can do so without scripting or anything obvious.

If I wanted to run something I wasn't supposed to on a box this would be a very effective way of doing it.

Cheers,
Russ - NTBugtraq Editor

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
EXECUTIVE SEMINAR: "Information Security and the Disappearing Perimeter"

Join Peter S. Tippett, PhD, M.D., the industry's foremost authority on
network security, and TruSecure for a free breakfast seminar on "The Impact
of the Disappearing Perimeter." Learn how you can proactively protect your
organization against today's newest threats, including those from remote
users, business partners and wireless. To register, and to view the full
list of dates and cities, click below or call 1-888-396-8348.

http://www.trusecure.com/offer/s0096/

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Previous message: http-equiv_at_excite.com: "Re: Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! - UPDATED"
• Maybe in reply to: Marek Bialoglowy: "Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! - UPDATED"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]