Privacy and Legal Notice

CIAC INFORMATION BULLETIN

H-38a: Internet Explorer 3.x Vulnerabilities

March 10, 1997 22:00 GMT 

PROBLEM:       Arbitrary commands may be executed on a Web client system using 
               Microsoft Internet Explorer 3.x. 
PLATFORM:      Windows 95, Windows NT 
DAMAGE:        A Web server can potentially destroy or manipulated data on a 
               visiting client system. 
SOLUTION:      Install the patch referenced below 

VULNERABILITY  This is a potentially serious vulnerability that should be 
ASSESSMENT:    addressed as soon as possible.

Several security vulnerabilities has been discovered in Microsoft Internet Explorer 3.0 and 3.01 for Windows 95 and NT. The vulnerabilities allows an arbitary program to be executed on a user's machine when accessing a malicious Web site. For example, selecting a URL on a Web site could cause the standard Windows calculator to start executing. Other programs, such as format or deltree, might also be executed, which can be more malicious in nature. These programs are executed without permission by the user - the standard security mechanisms provided with Internet Explorer are bypassed completely.

These problems are unrelated to ActiveX or Java, common sources of security concern. Rather, these vulnerabilities takes advantage of two features of the Windows 95/NT4.0 interface - shortcuts and hyperlinks. Shortcuts are files ending with a .LNK extension, and provide a means of referencing another file on a system. Windows hyperlinks are files ending with a .URL extension, and provide a quick jump to a URL on the Internet. When files of these types are placed on a Web site, they may potentially execute an arbitary command on the client's computer when accessed through a URL. The arbitary command (and path to the command) must be known ahead of time, but many key system programs are kept in standard locations, so this may be easily guessed.

Microsoft has addressed the problems with a patch on their Web site at http://www.microsoft.com/ie/security/update.htm

CIAC wishes to acknowledge the contributions of Paul Greene, Geoggrey Elliot, and Brian Morin of Worcester Polytechnic Institute, and Microsoft for the information contained in this bulletin.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at: 
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]