Bug Triad Whacks Microsoft Browser

From: Melvyn (melvyn.fitzpatrick@s-pam-remove-sunoco.com)
Date: 09/04/02 

From: "Melvyn" <melvyn.fitzpatrick@s-pam-remove-sunoco.com>
Date: Wed, 4 Sep 2002 13:48:53 -0700

Someone just sent me this. Is it serious??

Bug Triad Whacks Microsoft Browser

Researchers discover that three "low risk" bugs can
combine to send a Windows system up in flames.
By Brian McWilliams, Sep 4 2002 9:25AM

To prove that no security bug is truly harmless, a
security group has stitched together two minor flaws in
Microsoft's Internet Explorer 6.0 browser with a small
glitch in Windows Media Player to create one seriously
powerful attack.

By coaxing IE users to view a Web page containing the
special code, an attacker can silently force Windows 98,
Windows 2000, or Windows XP users to run a malicious
program of the attacker's choice.

The security group, Malware.com, has created a harmless
demonstration (http://www.malware.com/stench.html)of the
flaw which downloads and runs an executable program that
fills the victim's computer screen with flames.

A Malware.com member who uses the nickname "Http-equiv"
says he named the vulnerability "Stench" to dramatize why
it's dangerous for Microsoft to downplay and delay
patching security bugs that it considers minor.

"Their patching tiny pinprick holes and not the overall
problems, their mitigating factors, their ignoring small
demonstrated flaws, all add up into a monster problem,
which basically stinks," said Http-equiv in an e-mail
interview Tuesday.

Internet Explorer currently contains at least 18 security
bugs, many of them low-risk annoyances. Because it allows
an attacker to run code on a victim's machine, Stench is
the most serious security issue currently facing IE,
according to Thor Larholm, a researcher with Pivx
Solutions who tracks IE vulnerabilities.

Larholm said the information provided in the Malware.com
advisory could easily be used to create a harmful exploit.

"Follow the steps and you're done. I could let my 12-year-
old cousin do this," said Larholm, who added that because
all three bugs have been known to Microsoft for many
months, Malware.com's release of the information was "by
the book" and does not constitute what Microsoft
calls "irresponsible disclosure."

A Microsoft representative said the company was currently
studying the report and would take appropriate action.

Company Patchwork Faulted
According to Http-equiv, the exploit depends in part on a
known quirk in how Microsoft's media player handles self-
extracting Windows Media Download (WMD) files.

"If we can place our 'goodies' inside the .wmd file and
have the player unpack it, we now have arbitrary code on
the target computer," said Http-equiv.
 

Using a year-old IE bug known as the "codebase local path"
vulnerability -- a bug that was only partially fixed by
Microsoft last March -- the Stench exploit is able to
unpack and execute the malicious code without triggering
IE's security settings, he said.

According to Larholm, a major update to Internet Explorer
known as IE6 Service Pack One could include fixes for
numerous bugs, including those exploited by Stench.
Microsoft quietly released SP1 to its download servers in
late August but removed the upgrade shortly afterwards
without explanation.

On August 22, Microsoft issued a cumulative patch for IE
that addressed several severe bugs did not include
complete fixes for the codebase localpath and numerous
other vulnerabilities, Larholm said.

Malware.com's Stench advisory, posted to security mailing
lists on August 21, concluded with the following
statement: "Instead of sitting around trying to thinking
up ways that all these things cannot work, simply fix it
the first time round. There is no such thing
as 'mitigating factors' and 'hurdles'. This is a lie. Pure
fantasy. Fiction. Fix it when you can! For every way you
think it cannot be done, there are 10 ways it actually
can!"

Relevant Pages

  • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
    ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
    (Securiteam)
  • SecurityFocus Microsoft Newsletter #120
    ... Strengthening Network Security: FREE Guide Network security is a ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows File Protection Signed File Replacement... ... PlatinumFTPServer Information Disclosure Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #176
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #242
    ... MICROSOFT VULNERABILITY SUMMARY ... PostNuke Blocks Module Directory Traversal Vulnerability ... Groove Networks Groove Virtual Office COM Object Security By... ... The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition initiated by sending a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination source and port. ...
    (Focus-Microsoft)
  • [NT] Vulnerability in HTML Help Allows Code Execution (MS05-001)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
    (Securiteam)