Re: Update on status of IE security
From: Ben Gollmer (ben@jatomail.net)Date: 04/25/02
- Previous message: Christian Freas: "RE: Remote perf counter access"
- In reply to: winquestion@hushmail.com: "Update on status of IE security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Apr 2002 11:28:40 -0500 From: Ben Gollmer <ben@jatomail.net> To: <winquestion@hushmail.com>, MS Security <focus-ms@securityfocus.com>
This is certainly interesting behavior. I don't have a box here to test
this on, but does it have anything to do with the "Automatically detect
settings" option? (Internet Options->Connections->LAN Settings) I know IE6
has this too, but I wonder if they changed its behavior. Perhaps it is
scanning the network for proxy hosts or something.
Ben
On 4/24/02 11:47 PM, "winquestion@hushmail.com" <winquestion@hushmail.com>
wrote:
>
> I sent out a question regarding how I discovered a odd proxy type behavior
> with IE while when asked by my teacher to upgrade all the lab Win2k pcs from
> IE
> 5.5 to IE6. All the nodes plug into a switch that plugs into a cisco 3640
> that uses nat to talk to the Internet.
>
> The issue at the time was that I noticed that IE 5.5 submits the data to a
> local port before accessing the remote destination.
>
> Normal process:
> IE opens a connection on a random high port and then connects to port 80
> of destination
> i.e.localhost:1214 to www.abc.com:80
>
> Prcoess on my lab pcs:
> IE opens a connection on a random high port =>to a random static high
> end port on the localhost and then connects to port 80 of destination
> i.e.localhost:1214 => localhost:1033=>to www.abc.com:80
>
> The port 1033 will remain valid until the browser is closed. All subsequent
> http or https sessions from the browser or any type of connection all go
> to port 1033 prior to reaching the Internet. This behavior is similar to a
> proxy. The port 1033 is random. IE 5.5 assigns a different random static port
> for this proxy behavior every time it starts up. Telneting to this static port
> produces nothing so I don't really know why ie has this port on.
>
> ---UPDATE----
> I can say I reconfirmed the behavior when installing on to two new pcs using
> different win 2k media. It occurs with IE 5 and 5.5. I even recently
> discovered this with 6.0. I perform the upgrads to 5.5 and 6.0 with either a
> microsoft update cd, the IE that comes with quicken, or through the Windows
> update function. This behavior is present on all my test systems.
>
> Some windows firewalls miss this because
>
> 1. There is a default rule that permits any localhost to localhost traffic so
> this behavior will not show up as a violation. It only shows up if logging is
> enabled.
>
> 2. Some firewalls do not even offer port number or destination configuration
> for their rulesets. They are based on the concept of all or nothing access.
> Either allow the app to access the Internet or not. So if you allow IE
> to access the Internet then it will not show you that it is going through
> the random static port first emulaing proxy behavior before heading off to the
> Internet.
>
> Once again, all proxies are off. No manual or automatic detection of proxies
> have been set. No proxies are running on the network since they were the only
> pc turned on at the time and everyone else has been disconnected from the
> switch.
>
> Also I repeat that ad-aware and norton anti-virus did not detect any spyware,
> trojans, or viruses.
>
> Some folks say to just not upgrade to IE6, but that still does not explain why
> this bevahior is present with IE 5.0 and 5.5.
>
> I know my machine has not been hacked because I even reinstalled a Win2k
> machine from scratch for these tests and it still exhibits the same proxy
> behavior. THe media is genuine also.
>
> So my question is if anyone else is seeing this behavior or is it just me?
>
> Why does IE bring up this random high port to be used as a proxy? Tools such
> as
> insider say it is owned by IE. Netstat shows it is binded locally.
>
> Hush provide the worlds most secure, easy to use online applications - which
> solution is right for you?
> HushMail Secure Email http://www.hushmail.com/
> HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
> Hush Business - security for your Business http://www.hush.com/
> Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/
>
> Looking for a good deal on a domain name?
> http://www.hush.com/partners/offers.cgi?id=domainpeople
>
>
- Previous message: Christian Freas: "RE: Remote perf counter access"
- In reply to: winquestion@hushmail.com: "Update on status of IE security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
