Update April 02, 2002
A patch for this exploit is now available from Microsoft:
http://www.microsoft.com/windows/ie/downloads/critical/Q319182/default.asp
Limited testing revealed that this patch had no effect on the behavior of a machine using
Internet Explorer 6 and Windows 2000 SP2.
Who discovered the exploit
EdenSoft does not know the original discoverer of the exploit, but we learned about the exploit from
Sidney Markowitz, who is beta testing PopUpCop. He referred us to grayMagic Software,
who provides a detailed explanation and a harmless demonstration of the exploit here.
(http://security.greymagic.com/adv/gm001-ie/)
The nature of the exploit
A malicious Web site can execute an abitrary program on a local disk volume. Provided that the
authors of the Web page know the full path to the program in question (for example, "c:/windows/system/notepad.exe"),
the ActiveX code download mechanism in Internet Explorer will execute the the program, thinking that the
program is a "safe" ActiveX control download.
When a Web designer wishes to specify an ActiveX control on a Web page, she or he uses an HTML statement that
looks something like this:
<object classid="clsid:XXXXXXXX" codebase="http://www.edensoft.com/myactivex.cab"></object>
The above statement tells Internet Explorer that this page uses an ActiveX control with the class
GUID "XXXXXXXX", and if the ActiveX control has not yet been installed on the user's computer, the binary code
for the control can be downloaded from the location www.edensoft.com/myactivex.cab, using the HTTP protocol.
Since the binary code for an ActiveX control could require a complex installation procedure, Internet
Explorer allows the binary code for the control to reside in an executable file which is run to complete
the installation.
The exploit takes advantage of this mechanism by asking Internet Explorer to download a non-existent ActiveX
control with the GUID 11111111-1111-1111-1111-111111111111 (Update: our test page now uses the GUID 42B1C70D-9823-41f7-810A-682DA294D868). The exploit substitutes the name of the
program it wishes to execute (for example, "C:/windows/notepad.exe") for the location of the binary
code for the non-existent control.
Vulnerable versions of Internet Explorer
Version 5.5
Version 6.0
Internet Explorer version 5.0 and version 5.01 do not seem vulnerable to this particular implementation of
the exploit.
Additional risk with some email programs
If you use an email program that automatically extracts attachments from email messages to a known directory,
and also uses the Microsoft Web Browser control to display HTML email, this exploit could be used to deliver
a malicious program to your computer and execute that program without you doing anything other than
viewing the email.
You cannot use Internet Explorer's User Interface to work around this exploit
The reason that a program can executed without any warning to you is that by default, Internet Explorer implicitly
trusts any ActiveX component that is "downloaded" from your computer. Specifically, the settings for download
permission for both signed and unsigned ActiveX controls in the My Computer Internet security zone are
set to "Enable", rather that the more secure settings of "Prompt" or "Disable".
If you go to your control panel and try to change the security settings for your local computer,
you will probably notice that there is no My Computer zone listed among the Web content zones on the
Security settings page. The only way to change these settings is by obtaining a special utility from
Microsoft, using a program specifically design to change settings for this zone, or by manually changing
values in the system registry.
UPDATE: You can make the My Computer zone visible by changing a single bit in
the Windows registry. Our utility enables you to change that bit. (Thanks to
Tom Kluegel for pointing us to this flag.)
Click here to find out how to work around this exploit.
Brought to you as a public service by EdenSoft, the makers of PopUpCop, the Internet Irritation Inhibitor(tm)"
