Re: XP SP2 IE6 vulnerability

From: CnS (cns_at_free.fr)
Date: 09/16/04


Date: 16 Sep 2004 02:54:57 -0700


> > <!-- saved from usr=(XXXX)URL -->
>
> I'm not saying this isn't a potential vulnerability [I'm not convinced it is
> just yet], but this behavior is by design and is documented at microsoft.com
> and other places. Unless I'm mistaken, I believe XP SP2 does some checking
> to try to prevent conflicting zone information from leading to a zone
> escalation / cross domain attack.

Since SP2, IE's behavior has been modified and now I call it a vulnerability
because it allows security checks to be bypassed. I would have called it a
weakness or a strange behavior if security aspects - allowing or not content
to be *executed* on the computer - were not involved.

Call it whatever you like, I'm only considering what it does to make my point.
Just replace the words "saved from url=XXX" with say "bypass security checks"
or "allow ActiveX/Javascript to run". What does it sound like ?

I'm not saying this could be used as is. However if the goal is to restrict
the execution of some components in pages stored on the local disk, whatever
way they land there, I believe it is ineffective and potentially dangerous -
people could be lured into thinking that it is secure *since* it is stored on
the disk or that sort of thing.

As I understand it, when the comment is present the page is run in the Internet
Zone which has limited rights. What about reading files from the directory
the page is in and sending data to a remote web site ? These are actions
typically undertaken by ActiveX objects, nevertheless when executed from a
local drive they present a deep security threat.

> But if you as an attacker can modify files like this on the local hard
> drive, then there are any number of ways you can compromise the system. MS
> has disabled several of the ways in which an attacker could write an
> arbitrary file to the hard drive via IE. I could certainly be wrong, let me
> know if I am.

I believe the page itself is stored somewhere in the disk cache.

I'm a software editor selling CDROMs which contain MathML enabled web pages.
Since SP2 these pages do not run correctly in Internet Explorer. So what are
my options ?
 a. MathML isn't rendered by IE anyways, deal with it. Add a warning stating
    that the software will not run with XP SP2.
 b. Build a customized version of Mozilla and distribute it with your content.
 c. Add the fake comment to the pages so IE will think they have been
    downloaded and will execute the ActiveX plugin without a hinch.

Do you really think c. is an option for me ? Do you think it is a reasonably
stable solution ?

Nah. To me this is a facet of IE's poor design.

-- 
Cyrille SZYMANSKI


Relevant Pages

  • Re: MS09-051 needed for XP Pro SP2?
    ... from reading the Microsoft monthly security bulletin and then I manually ... copies of all the updates at work. ... install them on SP2. ... Windows 2000 until after SP2 so I'm not very familiar with it, ...
    (microsoft.public.windowsupdate)
  • Re: Running renamed executables with CMD.EXE
    ... security products) is typical, then this hasn't been a problem for a while. ... branch of the attack tree. ... no reason it should be for people who start with XP. ... I'm not saying that cmd's content-inspection execution heuristics are good, ...
    (NT-Bugtraq)
  • RE: Running renamed executables with CMD.EXE
    ... security products) is typical, then this hasn't been a problem for a while. ... branch of the attack tree. ... no reason it should be for people who start with XP. ... I'm not saying that cmd's content-inspection execution heuristics are good, ...
    (Bugtraq)
  • [NT]InstallShield Update Agent "Rule Script" Code Execution Vulnerability
    ... Get your security news from a reliable source. ... InstallShield Update Agent "Rule Script" Code Execution Vulnerability ... Arbitrary remote code execution is possible on all known product versions. ... the client agent reports its product ...
    (Securiteam)
  • Re: is XP SP2 RC2 advisable for the average FCKGW user?
    ... > copies," said Microsoft group product manager Barry Goffe. ... > internet security and avoiding responsibility for the consequences ... As we have said - SP2 will be available for all legitimate users of Windows ...
    (microsoft.public.windowsxp.basics)