http://www.wired.com/news/technology/0,1282,51899,00.html
11:41 a.m. April 17, 2002 PDT Another Big MS Browser Hole Found By Michelle Delio Internet Explorer users who click their browser's back button open the Windows operating system to a malicious hack attack. When users hit the back button on Explorer's toolbar, the browser's security settings for the "Internet" zone can be bypassed, and the browser will automatically execute malicious code embedded into a site's URL. The problem is caused by what can politely be described as a design flaw in Explorer. When a Web page fails to load, Explorer displays a standard error message. This message is set to operate in the "Local Computer Zone" security setting, which by default allows scripting to run automatically. Any code inserted in the original URL is handled as if it comes from the same security zone as the last URL viewed. So a URL containing malicious JavaScript that might be blocked by default if a user visits the site directly, will be automatically triggered when the user presses the back button. Many users hit the back button when a Web page fails to load in a timely manner. The exploit was discovered by Andreas Sandblad, a Swedish engineering student. Sandblad said he notified Microsoft of the problem last November. He provided additional information to Microsoft on March 25. "Originally, I was only able to produce the same result when the user pressed the refresh button," Sandblad said in an e-mail. "I contacted Microsoft about it in November and they confirmed the problem. On Feb. 28, I received mail from them saying that they didn't think the problem was serious enough to fix." "Later, I e-mailed Microsoft with additional information, describing how it was possible to trigger the same flaw with the back button. A couple of days later I received a mail explaining that they might fix the problem in a future service pack. I told them that I was planning to go public with the vulnerability but that I could wait if they could convince me that they were going to fix the issue in reasonable time. They didn't respond at all." A Microsoft spokesman said the Microsoft Security Response Center thoroughly investigated Sandblad's report "and determined that because the proposed exploit scenario is dependent upon specific user interaction as a prerequisite, it does not meet our definition of a security vulnerability." "The proposed exploit scenario requires the attacker to compel the users to click on the back button while visiting a malicious website. This scenario does not constitute a viable threat to users following standard best practices," the spokesman added. Some users were surprised to find out that Microsoft believes that using the back button is not a standard, best security practice. "Why the hell did they put a back button into the browser toolbar if they didn't want me to use it?" Martin Montez, a stockbroker, wondered. "I'm one of the few people in the world who actually reads the manuals and there's no warning anywhere that using the back button could compromise your system." Microsoft's spokesman said that the company "remains vigilant in our commitment to keeping users information safe and will be addressing this issue in an upcoming release." Sandblad said he didn't discover the exploit by accident. "I have been researching issues regarding the JavaScript protocol for a long time and I found that using the history list together with the back button was a nice way of exploiting it. Often you find flaws that are hard to take advantage of. Mostly, too much user interaction is needed. This one is easy." Sandblad tested the exploit with Internet Explorer 6.0 on Windows 2000 and XP systems. Further tests by Wired News showed that the exploit also works with various combinations of Internet Explorer 6.0 and 5.5 on computers running Windows 2000, NT 5.0, XP and 98. The exploit does not work on Macs with current versions of Explorer, or in Mozilla or Opera browsers. Some tested versions of Netscape returned a JavaScript error and crashed. Some antiviral programs, such as McAfee and F-Secure, were able to block the exploit, and also displayed a "Trojan" or "Code Event" alert. A Slashdot reader posted a test that allows users to see if their system is vulnerable to the exploit. Sandblad posted details of the exploit on the BugTraq security mailing list on Wednesday. In his post, Sandblad suggested the usual fix for browser woes; disable active scripting. He also noted that users could choose never to use the back button. Programmer Mikal Zabor also suggested that Windows users, those who "must run Explorer," should consider installing the Windows operating system anywhere but their main (C) drive. "Many exploits assume things about your system. They assume you're running Microsoft products, and they assume your system is on the C drive with the default install. If you move the system off the main drive, or set up partitions, you make it harder for malicious hackers." Sandblad also said he is still waiting for Microsoft to fix the last vulnerability he reported to the company. "The patch they released in the bulletin MS02-015 'Cookie-based Script Execution' only fixed part of the problem," Sandblad said. © Copyright 2002, Lycos, Inc. http://groups.yahoo.com/group/liberty_outlook _______________________________________________________ NOTICE: In accordance with Title 17 U.S.C. Section 107, this material is distributed, without profit, for research or educational purposes to those who have expressed a prior interest. _______________________________________________________ ------------------------ Yahoo! Groups Sponsor ---------------------~--> Buy Stock for $4 and no minimums. FREE Money 2002. http://us.click.yahoo.com/orkH0C/n97DAA/ySSFAA/FGYolB/TM ---------------------------------------------------------------------~-> Biofuel at Journey to Forever: http://journeytoforever.org/biofuel.html Please do NOT send "unsubscribe" messages to the list address. To unsubscribe, send an email to: [EMAIL PROTECTED] Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
