RE: IE execution of arbitrary commands without Active Scripting or ActiveX (GM#001-IE) + Workaround.

From: GreyMagic Software (security@greymagic.com)
Date: 03/03/02 

From: "GreyMagic Software" <security@greymagic.com>
To: "Stefan Osterlitz" <stefan@osterlitz.de>, "GreyMagic Software" <security@greymagic.com>
Date: Sun, 3 Mar 2002 03:02:18 +0200

As the advisory mentions, this exploit only works for IE5.5+, and I quote:
"Any application that hosts the WebBrowser control (5.5+) is affected
since..."
Many people seem to have missed that and emailed us about the fact that "it
doesn't work here!" while using IE5, so to make it perfectly clear;

The bug only exists in IE5.5 and later versions, even if you set your
Internet Zone to disable the download of ActiveX.

Regardless of all this, we were notified of a possible workaround and
thought that this is important to share;

Since the injected <object> runs in the "My Computer" Zone changing the
Internet Zone's settings didn't affect it, but changing the correct zone's
settings will prevent this exploit from running..

Here is the registry information:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0]
Change "1004" (DWORD) to 0x3.

Many thanks to Axel Pettinger and Garland Hopkins for this workaround.

Regards,
        L. Dagon,
        GreyMagic Software, Israel.

-----Original Message-----
From: Stefan Osterlitz [mailto:stefan@osterlitz.de]
Sent: Friday, March 01, 2002 13:02
To: GreyMagic Software
Cc: BUGTRAQ@SECURITYFOCUS. COM
Subject: Re: IE execution of arbitrary commands without Active Scripting
orActiveX (GM#001-IE)

> Solution:
> =========

> There is no configuration-tweaking workaround for this bug, it will work
as
> long as the browser parses HTML. The only possible solution must come in
the
> form of a patch from Microsoft.

IMHO this is wrong. you can disable the download of signed / unsigned
activex controls.
my ie version 5.00.2614.3500 w/patches is not vulnerable with that setting.

> Tested on:
> ==========

> IE5.5sp2 Win98, all patches, Active scripting and ActiveX disabled.
> IE5.5sp2 NT4 sp6a, all patches, Active scripting and ActiveX disabled.
> IE6sp1 Win2000 sp2, all patches, Active scripting and ActiveX disabled.
> IE6sp1 WinXP, all patches, Active scripting and ActiveX disabled.

Relevant Pages

  • Re: Difference between vs2005 WebBrowser and AxWebBrowser components?
    ... The WebBrowser control is basically the active ... to get at the original objects ... and cast to the interfaces exposed through a reference to MSHTML.tlb. ... > I like the functionality in the AXWebBrowser component (from ActiveX ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Quick test for ActiveX?
    ... use of ADO objects in client-side code ("Client-side use of Stream ... Recordset operations work properly without activex and some other ... differently dependent upon activex settings. ...
    (microsoft.public.inetserver.asp.general)
  • Re: page errors
    ... i've alway had my settings for internet and intranet set at ... Try temporarily disabling your firewall to see if HTTPS then works ... You may have other software installed that is blocking ActiveX content. ... > Disable the McAfee ActiveX controls Applet filters in the Internet Filter ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • RE: Active X error attempting to connect to RDP through RWW
    ... message about IE not allowing the installation of Activex and shows a problem ... Remote Web Workplace requires the Microsoft Remote Desktop ActiveX control. ... Your browser's security settings may be preventing you from downloading the ... Please note that you need to be a local admin to install Active X controls. ...
    (microsoft.public.windows.server.sbs)
  • Re: Quick test for ActiveX?
    ... use of ADO objects in client-side code ("Client-side use of Stream ... behave differently dependent upon activex settings. ... affected by client browser settings. ...
    (microsoft.public.inetserver.asp.general)