IE Exploit Lets Attackers Plant Programs on SP2

By Larry Seltzer October 20, 2004

Updated: New attack finds yet another leak in local resource security that Windows XP Service Pack 2 and subsequent patches were supposed to plug.

A security researcher has discovered a new exploit for Microsoft Corp.'s Windows XP Service Pack 2 that allows programs to be planted and executed on fully-patched systems.

ADVERTISEMENT

The researcher, known as http-equiv and operator of the malware.com Web site, discovered a weakness in the local security zone of Internet Explorer which, through the use of the HTML Help control, allows security restrictions in the zone to be bypassed.

In combination with a separate vulnerability, in which drag-and-drop operations permit executable content to be placed on the system, the result of the attack is the delivery and execution of potentially hostile code from an external Web site. The researcher provides a proof of concept example on the site.

The drag-and-drop component of the example is surprising in light of Microsoft's recent patching of a related vulnerability. Thor Larholm, senior security researcher for PivX Solutions, said the Microsoft patch, designated MS04-038, "does not patch the drag-and-drop problem directly?instead it tries to prevent its use by limiting the types of files that can be used in DYNSRC."

DYNSRC specifies the address of a media object used in a Web page. "As http-equiv demonstrates in his original post, this restriction could be circumvented," Larholm said.

The problem is relatively minor and can be patched by Microsoft without too much bother, Larholm said. In the meantime, it can be circumvented by disabling a particular shell object, Shell.Explorer, by setting its "kill bit" in the registry. PivX Inc. is providing a registry fix for doing this on their Web site.

In order to deliver and run the attack code the user must perform a drag-and-drop operation. In a real-world attack, users would probably be enticed with a media file such as an image or music, but the file would contain the attack code, according to a description written by Symantec Corp.

A Microsoft spokeswoman said the company is investigating reports of a vulnerability affecting Windows XP Service Pack 2 and earlier versions of Windows that could enable an attacker to place a malicious file on a user's system.

"Microsoft is not aware of any customer impact at this time. However we will continue to investigate the issue to determine the appropriate course of action to protect our customers. This might include providing a fix through our monthly patch release process or an out-of-cycle update, depending on customer needs," she said.

Microsoft also advises customers who have applied the latest Internet Explorer update, MS04-038, to set the "Drag and Drop or copy and paste files" option in the Internet and Intranet zone to "Disable" or "Prompt." Once this setting is changed, the spokeswoman said, the attack described in the report will not succeed.

In addition, customers who have set their Internet Security zone settings set to high will not impacted by this vulnerability.

Editor's Note: This story was updated to include additional information from Microsoft.

PointerCheck out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.

horizontal rule

Be sure to add our eWEEK.com Security news feed to your RSS newsreader or My Yahoo page Email Order Reprints of this Article.

TALKBACK Sign In To Talkback! | Register

Fill-in form below to apply. First Name: Last Name: Title: Company: Address: City: State: Zip Code: E-mail: Cover: October 27 Filter Renew today Try digital eWEEK! Subscription Help

Ziff Davis Partner Sites # Visual Studio & .Net Dev Center # Grid Computing Ziff Davis Featured Sites # IT Reseller News & Resources # eWEEK.com Storage Topic Center FREE ZIFF DAVIS MEDIA ESEMINARS AT ESEMINARSLIVE.COM # 10/25 - The Road to 64-Bit computing: Bridging the Gap to Itanium with Aaron Goldberg. Sponsored by PC Connection, Inc. & HP # 10/26 - How To Catch a Phish: Keep Online Phishing and Fraud Out of Your Company with Frank Derfler. Sponsored by MailFrontier # 10/27 - Leverage Both Legislation and Technology to Combat Fraudulent Spam and Phishing Attacks with Aaron Goldberg. Sponsored by CipherTrust, Inc. # 10/27 - The Desktop Access Advantage: Leveraging the Benefits of a Managed Service with Frank Derfler. Sponsored by Citrix Online. Nov. 30 - Dec. 1, 2004 Ziff Davis Media eSeminar's Security Virtual Tradeshow will bring together top security experts for a two-day online event focused exclusively on the most pressing IT security issues. Through a series of keynote presentations and interactive panel discussions featuring government officials, IT corporate executives and leading industry analysts, this event promises to educate you on growing threats facing your IT systems. Register Now!

FREE WHITE PAPERS Click on a link below to download one of our FREE White Papers:

# Thin Clients: Solving Business Problems at the Point of Data Access

# Digital Data at the Point of Care

# Securing Terminal Services

FREE ESEMINAR

# No Loss in Going Thin: Running Applications in a Thin Client Environment

> brought to you by Wyse

WHAT'S EATING YOUR HARD DRIVE? DiskPie Pro, NEW from the PCMag.com Utility Library, lets you manage and reclaim precious hard drive real estate:

  • Quickly Identify Space-Hogging Files, Folders * Find & Manage Your Biggest Files * Set Limits & Get Alerts When You Exceed Them * Powerful, Easy-to-Customize Pie Charts Make It Easy!

Download DiskPie Now!

  • Shop Now! - Dell Home Solutions Center * Build your custom desktop or notebook now at MPC! * Dell Small Business Products
  • FREE Double Memory on Select Dell Systems! * Roadmap for Secure Messaging Strategy ? Free Whitepaper * Microsoft solutions for Healthcare. * Change for gain. Find out how at
    formatting link
    *
    Get your FREE Hosted Trial of VS .NET * Improve IT Efficiency with Windows Server System. * FREE Security Patch Management Software - Shavlik HFNetChkPro! * Verizon Business DSL. The best value in broadband * Get free security management tools from Microsoft * Get the facts on Microsoft® Windows® and Linux. * Change for gain. Find out how at
    formatting link
    * Free White Paper: Transform Technical Support into Competitive Advantage * Portfolio Management Process White Paper * Free White Paper: Too Much of a Good Thing is Just Too Much ? Don't Overbuild Your Server Room! * IBM Middleware for mid-sized companies. * Middleware is Everywhere. Can you see it? * IBM Middleware for automation. That's On Demand Business. * IBM Middleware for software development. That's On Demand Business. * IBM Middleware Solutions for Telecom

RELATED LINKS OctoberPatchFest: The Postmortem Microsoft Issues Flurry of Fixes on Busy Patch Day Microsoft Patch Day: The Next Generation SP2 May Spell Trouble for Agentless Patching Attack Pierces Fully Patched XP Machines

SECURITY VIEW Larry Seltzer Bad Input Bombs Your Program A simple "fuzzer" program shows that most Web browsers are easily crashed by malformed Web tags. Who'd have thought that Internet Explorer would be the most robust! SECURITY RSS FEED Want an easy way to keep up collaboration and messaging news, reviews and opinions? Get eWEEK headlines delivered to your desktop with RSS. COURSEY'S VIEW David Coursey Microsoft's Second Mistake: Boring Upgrades In Part II of his series on Microsoft's biggest failures, David Coursey claims the software giant has failed miserably to create upgrades that excite its users. SECURITY SPECIAL REPORTS Canning Spam E-Mail Worms 2004 Securing Windows Windows Exposed

BREAKING NEWS

  • 10.22.2004 Radvision Builds Videoconferencing Bridge for Istanbul Users * 10.22.2004 Siemens Medical Garners Health IT Award * 10.22.2004 Updated: Java Studio Creator Update Targets Mac Developers * 10.22.2004 Someone Hacked Into Purdue's Computers * 10.22.2004 EU to Issue Early Ruling on Oracle-PeopleSoft * 10.22.2004 Aberdeen Report: True Multichannel Sales Desirable but Rare * 10.22.2004 SVP Beard: Sybase Spreads Its Reach

View All >

SECURITY RESOURCES View the Security Center list of security resources.

Add the eWEEK.com Security Center to your IE favorites. Optimizing Your Imaging & Printing Environment The Growing Security Threat: Your Employees Email Security in Sarbanes-Oxley Compliance All White Papers > FREE NEWSLETTER

Get eWEEK's FREE online newsletters. Fill-in the form below:

  • 1. Make your selections: * * Securing the Enterprise eWEEK News & Views The Coursey Report The Channel Insider Update * 2. Select email format: * * 3. Enter email address: *

View all Newsletters >

Issue Index | Contact Us | About | Advertise | Magazine Customer Service eWEEK Quick LInks

Storage Solutions | Networking Security | Network Infrastructure | Wireless Networking Database Management Systems | PC Desktops | Web Programming | Enterprise Solutions Linux Operating Systems | Mac Operating System | Mobile Messaging | Internet Telephony Microsoft Windows News

Contact Us | Advertise | Reprints | Magazine Subscriptions | Newsletters | RSS Feeds | Tech Shop White Papers | Tech Courses Online | Headlines for Your Site | Custom Utilities | Tech Jobs

1UP | Baseline | Business 4Site | CIO Insight | Computer Gaming World | DevSource | DigitalLife Electronic Gaming Monthly | eSeminars | eWEEK | Extreme iPod | ExtremeTech | GMR | Microsoft Watch Official US PlayStation Magazine | PC Magazine | Small Business Center | Sync | The Channel Insider

Use of this site is governed by our Terms of Use and Privacy Policy Copyright © 1996-2004 Ziff Davis Publishing Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Publishing Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Media Inc. is prohibited.

Reply to
{ Memmito } (PUERCO chupapoYas
Loading thread data ...

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.