First IE critical security flaw discovered after XP SP2 | The Coffeehouse

nektar

A security firm has reported over the weekend a newly discovered highly critical flaw that affect most versions of Internet Explorer, even Windows XP with Service Pack 2. Microsoft says that the issue is not easy to exploit but according to some security analysts this is not true as an attacker can easily make a page where just by using the scrollbar could potentially place an executable in your startup folder.
Look at:
http://www.informationweek.com/story/showArticle.jhtml?articleID=29116685
and
http://www.winnetmag.com/windowspaulthurrott/Article/ArticleID/43739/windowspaulthurrott_43739.html
Can we have an official response from Microsoft. Perhaps here in Channel9. Where is Stepto?

yale

Some security analysts just try to earn credits for rubbish, much ado about nothing. Users also can download and run any malicious code on his own - what a critical security flaw! Or they can do Ctrl+A and Shift+Del over their "My Documents" in Explorer - what a heck of vulnerability! There are a lot of junk subjects some "security analysts" may publish advisories about.

nektar

However, this one seems to be at least important. It seems that an attacker can design a webpage on which a user can inadvertently drag and drop an exe file into his startup folder just by using the ordinary scrollbar on that page. I cannot be sure but that appears to be serious enough for me.

Charles
Welcome Change

nektar wrote:
It seems that an attacker can design a webpage on which a user can inadvertently drag and drop an exe file into his startup folder just by using the ordinary scrollbar on that page.

Are you sure about that?

Charles

Manip

Charles wrote:

nektar wrote: It seems that an attacker can design a webpage on which a user can inadvertently drag and drop an exe file into his startup folder just by using the ordinary scrollbar on that page.

Are you sure about that?

Charles

I'm sure.

Keskos

Manip wrote:
Charles wrote:

nektar wrote: It seems that an attacker can design a webpage on which a user can inadvertently drag and drop an exe file into his startup folder just by using the ordinary scrollbar on that page.

Are you sure about that?

Charles

I'm sure.

You are sure as in you are sure about Apache's license, or you are sure as in ......... like you are sure about your name? Smiley

Manip

Keskos wrote:
You are sure as in you are sure about Apache's license, or you are sure as in ......... like you are sure about your name?

I'm sure as in I'm sure your a little troll.

Keskos

Manip wrote:
Keskos wrote:You are sure as in you are sure about Apache's license, or you are sure as in ......... like you are sure about your name?

I'm sure as in I'm sure your a little troll.

Respect please. If you can't handle a joke then don't post.

Manip

Keskos wrote:
Respect please. If you can't handle a joke then don't post.

That was not a joke, it was a personal attack. What does Apache/GPL have to do with this topic even remotely and why is it funny to bring it up?

I don't find it funny.

Cider
Daze-d & Confused

To be fair, Manip, he did use a smiley and I saw the comment in the way it was intended. The only person getting involved in the personal attacks here is yourself.

Charles
Welcome Change

Yes, please be respectful everybody. There's nothing wrong with a little sportsmanship, but I think there is still some bad blood between certain niners based on past threads. This will change over time. Let's all try and be sensitive to the differences in perceptions of what constitutes an attack. Even in jest, people can be offended. It's best to just not even joke about sensitive issues. Sensitivity is relative.

EDIT: Removed question.

Charles

Keskos

Charles wrote:
Yes, please be respectful everybody. There's nothing wrong with a little sportsmanship, but I think there is still some bad blood between certain niners based on past threads. This will change over time. Let's all try and be sensitive to the differences in perceptions of what constitutes an attack. Even in jest, people can be offended. It's best to just not even joke about sensitive issues. Sensitivity is relative.

EDIT: Removed question.

Charles

What's the sensitive issue here? The fact that Manip at one point got Apache's license wrong? Are we barred from mentioning that in this context? He was also sure about that one, so I jokingly asked how sure he is about this one. What's wrong with this question? How can someone call that a personal attack is beyond me even with all the relativity theory.

How about dealing with some real personal attacks from eagle.

"A chap like kestos will cheat, because he knows he can.

Jamie will be polling us on a name for his goldfish...

...but you will cheat (you just did) it's the only way you know...

That's not a flame, just a fact. I posted three hours after he did, he jumped on my post in seven minutes.

He uses several identies here on channel9 so he can have conversations with himself.

No one on channel9 is as disrespectful as himself.
"

jamie

huh? My Goldfish are named Bill and Steve

* were you talking to me? you.. i thought you .. you talking to me? </denero>

If you were.. i have one account

im the real jamie all you other lame jamies are just imitating Wink

Manip

Keskos wrote:

What's the sensitive issue here? The fact that Manip at one point got Apache's license wrong? Are we barred from mentioning that in this context? He was also sure about that one, so I jokingly asked how sure he is about this one. What's wrong with this question? How can someone call that a personal attack is beyond me even with all the relativity theory.

What does apache/GPL have to do with this topic?

It wasn't a joke, it was an attack hidden within a joke.
Just like racist attacks are hidden within racist jokes. We don't accept racist jokes, do we?

And to be clear, your barred from mentioning peoples past mistakes in ANY context
unless that is the topic or it is absolutely necessity.
I'm not talking about C9, I am talking about life.

In general I find most of what you say offensive/rude and you just LOVE to pick at people.
Maybe it is just my local culture and the way I perceive things but that is the way it is.

Cider
Daze-d & Confused

Jamie,

Is that named after Gates and Bullmer, Gates and Jobs or maybe even 80s legends Bill Cosby and Steve Guttenberg?

To explain some of the edits and deletions above, I'm not absolutely sure why Charles deleted his question but I asked for my reply to be deleted because I put some extra information about this flaw in, and, personally, I do not believe that the flaw exposees (or whatever you call these anal people who find security bugs) used "responsible disclosure" and merely waited for SP2 to be released so they could be "w00t l33t haX0rs".

For what its worth, Keskos, I did defend your joke in this thread because, well, I'm British, and our sense of humour tends to be based upon attacking, piss taking and the like. Also, I don't think Charles was having a go at you at all, but merely trying to pour oil on the water to make everyone calm down.

jamie

Gates and Jobs

I had a lobster named after Ballmer once - but he kept jumping out of the tank: Crustaceans! Crustaceans! Crustaceans!

Cider
Daze-d & Confused

Oh, Manip, catch yourself on.

He made a joke which, actually, did have something to do with this topic. You did make a mistake before and he (very very gently, actually) ribbed you about it because you were making a statement about how sure you are now and he was challenging that. It was hardly threatening and certainly trying to say "you making a comment about Apache is like a racist joke" just makes you look stoopid.

For crying out loud, lighten up, and stop being such a sensitive little petal.

Smiley

Charles
Welcome Change

OK. All that I meant was we just need to remember to be respectful (I'm starting to sound like a broken record. I'm starting to sound like a broken record. I'm starting to sound like a broken record.) Smiley

"Troll" is an insult as far as we're concerned, so please stop calling people trolls. Let's change the vector of this thread back to the original topic and move on from the personal attack debate. It's simple. Before we hit post, let's make sure that we don't say something that belittles or humiliates or in anyway puts somebody down. What good does it do to get personal in any way when putting forth an argument are supporting a specific position in a debate?

Keep on posting!

Charles

Keskos

Cider wrote:

For what its worth, Keskos, I did defend your joke in this thread because, well, I'm British, and our sense of humour tends to be based upon attacking, piss taking and the like. Also, I don't think Charles was having a go at you at all, but merely trying to pour oil on the water to make everyone calm down.

If anything pisses of Manip, how am I supposed to talk while being attacked by Manip? If Charles says that we shouldn't talk about sensitive issues, where those issues are relative, how can I avoid being attacked. Manip says he is pissed off anything I say, and Charles says to me not to talk about those things that pisses off Manip.

Update: This was posted before I saw Charles's above post.

Manip wrote:

What does apache/GPL have to do with this topic?

It wasn't a joke, it was an attack hidden within a joke.
Just like racist attacks are hidden within racist jokes. We don't accept racist jokes, do we?

And to be clear, your barred from mentioning peoples past mistakes in ANY context
unless that is the topic or it is absolutely necessity.
I'm not talking about C9, I am talking about life.

In general I find most of what you say offensive/rude and you just LOVE to pick at people.
Maybe it is just my local culture and the way I perceive things but that is the way it is.

Charles
Welcome Change

All,

I don't condone one form of disrespect over another. I am not pointing fingers at anybody. All I am doing is what I said I would do; provide gentle reminders of the need for respect in the forums when I encounter a thread spinning in a potentially hostile direction.

Charles

strawberryJAMM
strawberrily delicious and user friendly too!

Keskos wrote:

Manip wrote:

Charles wrote:

nektar wrote: It seems that an attacker can design a webpage on which a user can inadvertently drag and drop an exe file into his startup folder just by using the ordinary scrollbar on that page.

Are you sure about that?

Charles

I'm sure.

You are sure as in you are sure about Apache's license, or you are sure as in ......... like you are sure about your name?

With all due respect, even if he isn't that sure, I am that sure, having just tried the proof-of-concept web page myself.

I got the link from an email sent to bugtraq by a "mikx" that was forwarded to a Security list I'm on:

From: mikx [mailto:mikx@mikx.de]
Sent: Tuesday, August 24, 2004 5:24 AM
To: bugtraq@securityfocus.com
Subject: What A Drag! -revisited-

Most people i talked to consider the Internet Explorer drag and drop vulnerability 
found by http-equiv not as a serious problem, because it requires some user interaction 
and the press pushes this topic way to much as the "first security problem in SP2".
In an article on BetaNews even Microsoft claims it's not a high risk for customers 
(http://www.betanews.com/article/1093035994).

To proof it's not a "hype" created by the media or companies like secunia, i 
created another proof-of-concept based on http-equiv's code that hides both the 
image to drag and the local folder you drop it to. As a result using the window scrollbar 
will install malware in your startup folder.

A little 5x5 pixel "drop zone" will automaticly follow your mouse. Just drag 
the window scrollbar as usual (and a hidden image at the same moment) and whereever 
you release the mouse button you will drop an exe file to your shell:startup (as 
long as you remain inside the browser window of course).

Demo website: http://www.mikx.de/scrollbar/

Dragging the window scrollbar is a common behavior - even if i can't 
believe there was a world before mouse wheels. A common user will probably 
don't recognize the installation at all.

Speaking of behaviors: If service pack 2 is installed you can work around this 
vulnerability by disabling "binary behaviors" in the new IE activex settings. You 
don't need to disable scripting completely.

It took me only 20 minutes to create this, so script kids around the world with 
enough free time will create even better protected mechanisms to exploit this bug 
in the near future.

Take it serious!

mikx

Try it yourself. Also, although the page claims that some users were still seeing the exploit after trying the stated workaround, it worked when I tried it so I don't know what's up with that.

-=> strawberryJAMM <=-
Jenni A. M. Merrifield

Karim
Trapped in a world he never made!

Oy.

Keskos

strawberryJAMM wrote:
Keskos wrote:

Manip wrote:

Charles wrote:

nektar wrote: It seems that an attacker can design a webpage on which a user can inadvertently drag and drop an exe file into his startup folder just by using the ordinary scrollbar on that page.

Are you sure about that?

Charles

I'm sure.

You are sure as in you are sure about Apache's license, or you are sure as in ......... like you are sure about your name?

With all due respect, even if he isn't that sure, I am that sure, having just tried the proof-of-concept web page myself.

I got the link from an email sent to bugtraq by a "mikx" that was forwarded to a Security list I'm on:
From: mikx [mailto:mikx@mikx.de]
Sent: Tuesday, August 24, 2004 5:24 AM
To: bugtraq@securityfocus.com
Subject: What A Drag! -revisited-

Most people i talked to consider the Internet Explorer drag and drop vulnerability 
found by http-equiv not as a serious problem, because it requires some user interaction 
and the press pushes this topic way to much as the "first security problem in SP2".
In an article on BetaNews even Microsoft claims it's not a high risk for customers 
(http://www.betanews.com/article/1093035994).

To proof it's not a "hype" created by the media or companies like secunia, i 
created another proof-of-concept based on http-equiv's code that hides both the 
image to drag and the local folder you drop it to. As a result using the window scrollbar 
will install malware in your startup folder.

A little 5x5 pixel "drop zone" will automaticly follow your mouse. Just drag 
the window scrollbar as usual (and a hidden image at the same moment) and whereever 
you release the mouse button you will drop an exe file to your shell:startup (as 
long as you remain inside the browser window of course).

Demo website: http://www.mikx.de/scrollbar/

Dragging the window scrollbar is a common behavior - even if i can't 
believe there was a world before mouse wheels. A common user will probably 
don't recognize the installation at all.

Speaking of behaviors: If service pack 2 is installed you can work around this 
vulnerability by disabling "binary behaviors" in the new IE activex settings. You 
don't need to disable scripting completely.

It took me only 20 minutes to create this, so script kids around the world with 
enough free time will create even better protected mechanisms to exploit this bug 
in the near future.

Take it serious!

mikx 
Try it yourself. Also, although the page claims that some users were still seeing the exploit after trying the stated workaround, it worked when I tried it so I don't know what's up with that.

-=> strawberryJAMM <=-
Jenni A. M. Merrifield

I tried it and IE asks me whether to save the file or not, and i don't even have SP2.

Keskos

[see above]

lars

It works. This is what I did:

1. New Windows XP Professional install (English without SP).
2. Installed all available updates from Windows update.
3. Installed Service Pack 2.
4. Opened http://www.mikx.de/scrollbar/ with MSIE (6.0.2900.2180.XPSP_SP2_RTM)
5. Dragged scrollbar.

Result: booom[1].exe in "C:\Documents and Settings\newuser\Start Menu\Programs\Startup"

The only thing that tells something is going on is that the cursor briefly changes when dragging the scroll bar (to a "+ arrow"). And I get a prompt to overwrite booom[1].exe if I go back and do it a second time.