IE Exploit Lets Attackers Plant Programs on SP2

By Larry Seltzer  |  Print this article Print


Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame

Updated: New attack finds yet another leak in local resource security that Windows XP Service Pack 2 and subsequent patches were supposed to plug.

A security researcher has discovered a new exploit for Microsoft Corp.'s Windows XP Service Pack 2 that allows programs to be planted and executed on fully-patched systems.

The researcher, known as http-equiv and operator of the malware.com Web site, discovered a weakness in the local security zone of Internet Explorer which, through the use of the HTML Help control, allows security restrictions in the zone to be bypassed.

In combination with a separate vulnerability, in which drag-and-drop operations permit executable content to be placed on the system, the result of the attack is the delivery and execution of potentially hostile code from an external Web site. The researcher provides a proof of concept example on the site.

The drag-and-drop component of the example is surprising in light of Microsoft's recent patching of a related vulnerability. Thor Larholm, senior security researcher for PivX Solutions, said the Microsoft patch, designated MS04-038, "does not patch the drag-and-drop problem directly—instead it tries to prevent its use by limiting the types of files that can be used in DYNSRC."

DYNSRC specifies the address of a media object used in a Web page. "As http-equiv demonstrates in his original post, this restriction could be circumvented," Larholm said.

The problem is relatively minor and can be patched by Microsoft without too much bother, Larholm said. In the meantime, it can be circumvented by disabling a particular shell object, Shell.Explorer, by setting its "kill bit" in the registry. PivX Inc. is providing a registry fix for doing this on their Web site.

In order to deliver and run the attack code the user must perform a drag-and-drop operation. In a real-world attack, users would probably be enticed with a media file such as an image or music, but the file would contain the attack code, according to a description written by Symantec Corp.

A Microsoft spokeswoman said the company is investigating reports of a vulnerability affecting Windows XP Service Pack 2 and earlier versions of Windows that could enable an attacker to place a malicious file on a user's system.

"Microsoft is not aware of any customer impact at this time. However we will continue to investigate the issue to determine the appropriate course of action to protect our customers. This might include providing a fix through our monthly patch release process or an out-of-cycle update, depending on customer needs," she said.

Microsoft also advises customers who have applied the latest Internet Explorer update, MS04-038, to set the "Drag and Drop or copy and paste files" option in the Internet and Intranet zone to "Disable" or "Prompt." Once this setting is changed, the spokeswoman said, the attack described in the report will not succeed.

In addition, customers who have set their Internet Security zone settings set to high will not impacted by this vulnerability.

Editor's Note: This story was updated to include additional information from Microsoft.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.

Be sure to add our eWEEK.com Security news feed to your RSS newsreader or My Yahoo page

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...