Internet Explorer 4.0 and DHTML

Reported October 16, 1997 by Ralf Hueskes

Systems Affected

Systems Running Internet Explorer 4.0

The Problem

A dangerous security hole in Internet Explorer 4.0 was detected by Ralf Hueskes of Jabadoo Communications when he conducted a series of security tests for C"T computer magazine.

His tests revealed that it is possible to spy on the contents of any    text and HTML files on somebody else"s computer. Not only local files are in danger, but also data on your company"s intranet - even if it is protected by a firewall.

The security hole exists even if users have activated the highest security level in their browser. The problem affects both the German and the English version of the Internet Explorer.

The code needed for infiltrating your files can be hidden in any normal Web page or in an e-mail message.

Technical Details

   The spy pages make use of JScript. If a user accesses a page or receives an e-mail containing this code, infiltration begins ...

   The spy page contains a so-called IFRAME sized 1 by 1 pixel. When a user accesses the page or opens the e-mail message, a small Jscript program loads the HTML or text file to be spied on into this frame. The contents of the frame can then be read using Dynamic HTML and sent as a parameter hidden in a URL to any Web server in the Internet.

  

Protective Measures

   According to Ralf Hueskes of Jabadoo Communications, the security hole exploits an error in the Internet Explorer 4.0 that can be fixed only by the manufacturer. Microsoft is aware of the problem and will make available a patch for download from http://www.microsoft.com/ie/ on    October 17th 1997.

   Experienced users can protect themselves by completely deactivating the execution of Active Scripting in the security settings (menu item: Tools/Options/Security, Settings/Custom (for expert users)/Active Scripting/Disable) and by using the Security Zones feature in Internet Explorer 4.0.

Stopping the Problem:

Load the patch located here.

Microsoft"s Response:

The folks in Redmond say the exploit could allow a malicious Web site to obtain the contents from a text, HTML, or a graphic image (no other file types) from a user"s hard disk. That information could not be damaged or manipulated on the user"s computer, but it could be viewed.

They also asked the discoverer to remove his sample Web page. Uh, alot of good that did :-)

To learn more about new NT security concerns, subscribe to NTSD.

Credit:
Reported by Ralf Hueskes
Posted here at NTSecurity.Net October 22, 1997