[ISN] Internet Explorer carved up by zero-day hole

InfoSec News isn at c4i.org
Thu Jun 10 05:44:35 EDT 2004 

http://www.computerworld.com.au/index.php?id=117316298&eid=-255

Kieren McCarthy
Techworld.com
09/06/2004 

Two new vulnerabilities have been discovered in Internet Explorer
which allow a complete bypass of security and provide system access to
a computer, including the installation of files on someone's hard disk
without their knowledge, through a single click.

Worse, the holes have been discovered from analysis of an existing
link on the Internet and a fully functional demonstration of the
exploit have been produced and been shown to affect even fully patched
versions of Explorer.

It has been rated "extremely critical" by security company Secunia,
and the only advice is to disable Active Scripting support for all but
trusted websites.

The discovery stems from Dutch researcher Jelmer who was sent an
Internet link which he was warned used unknown Explorer
vulnerabilities to install adware on his computer. He found it did and
embarked on a detailed analysis of the link, which demonstrates an
extremely sophisticated use of encrypted code to bypass the Web
browser's security.

In simple terms, the link uses an unknown vulnerability to open up a
local Explorer help file --

ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm. It delays
executing anything immediately but instead uses another unknown
vulnerability to run another file which in turn runs some script. This
script is then used to run more script. And finally that script is
used to run an exploit that Microsoft Corp. has been aware of since
August 2003 but hasn't patched.

That exploit -- Adodb.stream -- has not been viewed as particularly
dangerous, since it only works when the file containing the code is
present on the user's hard disk. The problem comes in the fact that
the Help file initially opened is assumed to be safe since it is a
local file and so has minimal security restrictions.

By using the unknown exploits, code is installed within the help file
window, all security efforts are bypassed, and the Adodb.stream
exploit is then used to download files on the Internet direct to the
hard disk.

What this means in reality is that if you click on a malicious link in
an email or on the Internet, a malicious user can very quickly have
complete control of your PC. And there is no patch available. You can
see it happen by click here.

With the code already available on the Net, this is effectively a
security nightmare ... unless you're a Mozilla or Opera user that is.

More information about the ISN mailing list