Updated September 30, 1999

Son of "ImportExportFavorites" Security Hole...

Noted Bulgarian Hacker Exposes
IE5 'Download Behavior' Privacy Peephole; Netscape is Unscathed

YOU MAY remember the most recent security problem to bite IE5 -- the "ImportExportFavorites" security hole. Well, now there's an allied incursion, the "Download Behavior" privacy peephole.

Where the "ImportExportFavorites" security hole in IE5 opened users' systems to the danger of unauthorized access to their hard drive, the "Download Behavior" privacy peephole can enable maliscious webmasters to read files on a user's hard drive.

The problem is this: when a user downloads a Web page using Microsoft IE5, that page can use server-side redirection to execute client-code capable of accessing and then returning those files to the Web server.

Under IE's security architecture, Internet-based Web servers shouldn't be able to access data on client machines because the two do not reside on the same network. But because of a security flaw in the product's "Download Behavior" function call, a malicious server could trick the client into thinking that a downloaded JavaScript or VB Script application resides on the same domain, enabling that application to access local files.

Using code obtained from the noted Bulgarian hacker, Georgi Guninski (http://www.nat.bg/~joro/index.html), KeyLabs verified that a remote JavaScript application could indeed run within a browser's local domain, with full file system access. Guninski was also responsible for popularizing the recent "ImportExportFavorites" security hole. (Hint to Microsoft: on his Web site Guninski says he's looking for a job -- is this all some sort of elaborate job application?)

"This is a very serious bug. The sample code used in our testing opened and then displayed our autoexec.bat file," said Ralph Decker, Lab Director for KeyLabs. "But this code could just as easily have accessed sensitive system files."

KeyLabs also tested Netscape Communications' Communicator 4.61 and found it immune to this form of attack. Because Communicator does not allow remote code to execute locally, it is able to sidestep the issue entirely.

In a Security Bulletin posted this Tuesday, Microsoft acknowledged the flaw. "This is really a risk to privacy," said Scott Culp, product manager in charge of security response at Microsoft. "Hackers can only read files, not modify or delete them."

Culp maintains that a patch is forthcoming from Microsoft and will be posted on Microsoft's Security Advisor site (http://www.microsoft.com/security/) as soon as possible. In the meantime, he recommends that users work around this security issue by disabling Active Scripting.

Until Microsoft provides a security patch, the only solution is to disable Active Scripting through the following steps:

  1. Within IE 5, select the Tools pull-down menu and click on Internet Options.
  2. Select the Internet Zone and click on the Custom Level button.
  3. Look for the Scripting heading and then select the "Disable" setting for Active scripting.
  4. Click OK twice.

This shotgun solution will keep you safe from malicious server-side code, but it will also prevent you from utilizing client-side code. This means you won't be able to effectively interact with sites that rely upon JavaScript and VB Script to perform even the most menial of tasks, such as form validation routines, image rollovers, and even page formatting directives done through Dynamic HTML.

Microsoft suggests IE5 users can add trusted Web sites one by one to their Trusted Sites Zone from the Security Tab within their Internet Options. "But without a real fix," says Decker, "users who are concerned about personal security will have to either live dangerously or find a new browser."

-- Bradley F. Shimmin

© BugNet material copyright 1994-1999 by BugNet.
® BugNet is a Registered Trademark of KeyLabs.
Astonisher.com material is

© Copyright 1973 - 2015 by Bruce Brown and BF Communications Inc.
Astonisher.com is a trademark of BF Communications Inc.

This historic replica of BugNet from the period 1994-1999
is presented by astonisher.com with the permission of BugNet.

BF Communications Inc.
P.O. Box 393
Sumas, WA 98295 USA
(360) 927-3234

Website by Running Dog

* Here's Bruce Brown's BugNet Memoir...
* Here's the free BugNet from 1999...


Software testing for BugNet is provided by KeyLabs, the world's largest independent PC testing facility.