IE Exploit Lets Attackers Plant Programs on SP2

By Larry Seltzer
October 20, 2004

Updated: New attack finds yet another leak in local resource security
that Windows XP Service Pack 2 and subsequent patches were supposed to
plug.



A security researcher has discovered a new exploit for Microsoft
Corp.'s Windows XP Service Pack 2 that allows programs to be planted
and executed on fully-patched systems.

ADVERTISEMENT


The researcher, known as http-equiv and operator of the malware.com
Web site, discovered a weakness in the local security zone of Internet
Explorer which, through the use of the HTML Help control, allows
security restrictions in the zone to be bypassed.

In combination with a separate vulnerability, in which drag-and-drop
operations permit executable content to be placed on the system, the
result of the attack is the delivery and execution of potentially
hostile code from an external Web site. The researcher provides a
proof of concept example on the site.

The drag-and-drop component of the example is surprising in light of
Microsoft's recent patching of a related vulnerability. Thor Larholm,
senior security researcher for PivX Solutions, said the Microsoft
patch, designated MS04-038, "does not patch the drag-and-drop problem
directly—instead it tries to prevent its use by limiting the types of
files that can be used in DYNSRC."



DYNSRC specifies the address of a media object used in a Web page. "As
http-equiv demonstrates in his original post, this restriction could
be circumvented," Larholm said.

The problem is relatively minor and can be patched by Microsoft
without too much bother, Larholm said. In the meantime, it can be
circumvented by disabling a particular shell object, Shell.Explorer,
by setting its "kill bit" in the registry. PivX Inc. is providing a
registry fix for doing this on their Web site.

In order to deliver and run the attack code the user must perform a
drag-and-drop operation. In a real-world attack, users would probably
be enticed with a media file such as an image or music, but the file
would contain the attack code, according to a description written by
Symantec Corp.

A Microsoft spokeswoman said the company is investigating reports of a
vulnerability affecting Windows XP Service Pack 2 and earlier versions
of Windows that could enable an attacker to place a malicious file on
a user's system.

"Microsoft is not aware of any customer impact at this time. However
we will continue to investigate the issue to determine the appropriate
course of action to protect our customers. This might include
providing a fix through our monthly patch release process or an
out-of-cycle update, depending on customer needs," she said.

Microsoft also advises customers who have applied the latest Internet
Explorer update, MS04-038, to set the "Drag and Drop or copy and paste
files" option in the Internet and Intranet zone to "Disable" or
"Prompt." Once this setting is changed, the spokeswoman said, the
attack described in the report will not succeed.

In addition, customers who have set their Internet Security zone
settings set to high will not impacted by this vulnerability.

Editor's Note: This story was updated to include additional
information from Microsoft.

PointerCheck out eWEEK.com's Security Center for the latest security
news, reviews and analysis. And for insights on security coverage
around the Web, take a look at eWEEK.com Security Center Editor Larry
Seltzer's Weblog.

horizontal rule

Be sure to add our eWEEK.com Security news feed to your RSS newsreader
or My Yahoo page

Email Order Reprints of this Article.


TALKBACK
Sign In To Talkback! | Register


Fill-in form below to apply.
First Name:
Last Name:
Title:
Company:
Address:
City:
State:
Zip Code:
E-mail:

Cover: October 27 Filter
Renew today
Try digital eWEEK!
Subscription Help



Ziff Davis Partner Sites
# Visual Studio & .Net Dev Center
# Grid Computing

Ziff Davis Featured Sites
# IT Reseller News & Resources
# eWEEK.com Storage Topic Center

FREE ZIFF DAVIS MEDIA ESEMINARS AT ESEMINARSLIVE.COM
# 10/25 - The Road to 64-Bit computing: Bridging the Gap to Itanium
with Aaron Goldberg. Sponsored by PC Connection, Inc. & HP
# 10/26 - How To Catch a Phish: Keep Online Phishing and Fraud Out of
Your Company with Frank Derfler. Sponsored by MailFrontier
# 10/27 - Leverage Both Legislation and Technology to Combat
Fraudulent Spam and Phishing Attacks with Aaron Goldberg. Sponsored by
CipherTrust, Inc.
# 10/27 - The Desktop Access Advantage: Leveraging the Benefits of a
Managed Service with Frank Derfler. Sponsored by Citrix Online.

Nov. 30 - Dec. 1, 2004
Ziff Davis Media eSeminar's Security Virtual Tradeshow will bring
together top security experts for a two-day online event focused
exclusively on the most pressing IT security issues. Through a series
of keynote presentations and interactive panel discussions featuring
government officials, IT corporate executives and leading industry
analysts, this event promises to educate you on growing threats facing
your IT systems.
Register Now!

FREE WHITE PAPERS
Click on a link below to download one of our FREE White Papers:

# Thin Clients: Solving Business Problems at the Point of Data Access

# Digital Data at the Point of Care

# Securing Terminal Services

FREE ESEMINAR

# No Loss in Going Thin: Running Applications in a Thin Client
Environment

brought to you by Wyse

WHAT'S EATING YOUR HARD DRIVE?
DiskPie Pro, NEW from the PCMag.com Utility Library, lets you manage
and reclaim precious hard drive real estate:

* Quickly Identify Space-Hogging Files, Folders
* Find & Manage Your Biggest Files
* Set Limits & Get Alerts When You Exceed Them
* Powerful, Easy-to-Customize Pie Charts Make It Easy!



Download DiskPie Now!



* Shop Now! - Dell Home Solutions Center
* Build your custom desktop or notebook now at MPC!
* Dell Small Business Products

* FREE Double Memory on Select Dell Systems!
* Roadmap for Secure Messaging Strategy – Free Whitepaper
* Microsoft solutions for Healthcare.
* Change for gain. Find out how at www.mercury.com
* Get your FREE Hosted Trial of VS .NET
* Improve IT Efficiency with Windows Server System.
* FREE Security Patch Management Software - Shavlik HFNetChkPro!
* Verizon Business DSL. The best value in broadband
* Get free security management tools from Microsoft
* Get the facts on Microsoft® Windows® and Linux.
* Change for gain. Find out how at www.mercury.com
* Free White Paper: Transform Technical Support into Competitive
Advantage
* Portfolio Management Process White Paper
* Free White Paper: Too Much of a Good Thing is Just Too Much –
Don't Overbuild Your Server Room!
* IBM Middleware for mid-sized companies.
* Middleware is Everywhere. Can you see it?
* IBM Middleware for automation. That's On Demand Business.
* IBM Middleware for software development. That's On Demand
Business.
* IBM Middleware Solutions for Telecom


RELATED LINKS

OctoberPatchFest: The Postmortem

Microsoft Issues Flurry of Fixes on Busy Patch Day

Microsoft Patch Day: The Next Generation

SP2 May Spell Trouble for Agentless Patching

Attack Pierces Fully Patched XP Machines




SECURITY VIEW


Larry Seltzer
Bad Input Bombs Your Program
A simple "fuzzer" program shows that most Web browsers are easily
crashed by malformed Web tags. Who'd have thought that Internet
Explorer would be the most robust!


SECURITY RSS FEED


Want an easy way to keep up collaboration and messaging news, reviews
and opinions? Get eWEEK headlines delivered to your desktop with RSS.


COURSEY'S VIEW


David Coursey
Microsoft's Second Mistake: Boring Upgrades
In Part II of his series on Microsoft's biggest failures, David
Coursey claims the software giant has failed miserably to create
upgrades that excite its users.


SECURITY SPECIAL REPORTS


Canning Spam
E-Mail Worms 2004
Securing Windows
Windows Exposed


BREAKING NEWS

*
10.22.2004
Radvision Builds Videoconferencing Bridge for Istanbul Users
*
10.22.2004
Siemens Medical Garners Health IT Award
*
10.22.2004
Updated: Java Studio Creator Update Targets Mac Developers
*
10.22.2004
Someone Hacked Into Purdue's Computers
*
10.22.2004
EU to Issue Early Ruling on Oracle-PeopleSoft
*
10.22.2004
Aberdeen Report: True Multichannel Sales Desirable but Rare
*
10.22.2004
SVP Beard: Sybase Spreads Its Reach

View All >

SECURITY RESOURCES


View the Security Center list of security resources.

Add the eWEEK.com Security Center to your IE favorites.


Optimizing Your Imaging & Printing Environment


The Growing Security Threat: Your Employees


Email Security in Sarbanes-Oxley Compliance

All White Papers >

FREE NEWSLETTER

Get eWEEK's FREE online newsletters. Fill-in the form below:

* 1. Make your selections:
*
*
Securing the Enterprise
eWEEK News & Views
The Coursey Report
The Channel Insider Update
* 2. Select email format:
*
* 3. Enter email address:
*

View all Newsletters >


Issue Index | Contact Us | About | Advertise | Magazine Customer
Service
eWEEK Quick LInks

Storage Solutions | Networking Security | Network Infrastructure |
Wireless Networking
Database Management Systems | PC Desktops | Web Programming |
Enterprise Solutions
Linux Operating Systems | Mac Operating System | Mobile Messaging |
Internet Telephony
Microsoft Windows News

Contact Us | Advertise | Reprints | Magazine Subscriptions |
Newsletters | RSS Feeds | Tech Shop
White Papers | Tech Courses Online | Headlines for Your Site | Custom
Utilities | Tech Jobs


1UP | Baseline | Business 4Site | CIO Insight | Computer Gaming World
| DevSource | DigitalLife
Electronic Gaming Monthly | eSeminars | eWEEK | Extreme iPod |
ExtremeTech | GMR | Microsoft Watch
Official US PlayStation Magazine | PC Magazine | Small Business Center
| Sync | The Channel Insider

Use of this site is governed by our Terms of Use and Privacy Policy
Copyright © 1996-2004 Ziff Davis Publishing Holdings Inc. All Rights
Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis
Publishing Holdings, Inc. Reproduction in whole or in part in any form
or medium without express written permission of Ziff Davis Media Inc.
is prohibited.