RealTime IT News

Bug Opens Microsoft IE to HTML .exe Attachments

In the latest in the long line of security dilemmas, Microsoft Corp. said Friday a hole had been detected in its Internet Explorer browser in which a hacker could allow a malicious page or e-mail to perform any action on a computer.

The vulnerability affects IE 5, IE 5.5 over all Windows platforms. The hole, brought to the software giant's attention by Juan Carlos G. Cuartango of Spain, was detailed in a security bulletin. Basically, a false Multipurpose Internet Mail Extensions (MIME) header can cause IE to execute an e-mail attachment to wreak havoc on a PC. Because HTML e-mails are Web pages, IE can render them and open binary attachments in a way that is appropriate to their MIME types.

But a flaw exists in the type of processing that is specified for certain unusual MIME types. For example, if a attacker created an HTML e-mail containing an executable attachment, and modified the MIME header information to specify that the attachment was one of the unusual MIME types that IE handles incorrectly, IE would launch the attachment automatically when it rendered the e-mail.

Basically, a user with the knowledge to exploit the vulnerability could drop a hostile HTML e-mail on a Web site and coax a user to visit it. Code page could open the mail and initiate the executable. Or, if the hacker is so inclined, he or she may send the HTML mail directly to the user. The latter of the two possibilities is potentially less serious, as attachment would be limited by a user's permission.

Worst case scenario: a malicious user can run any program on someone else's computer. He or she would have the power to add, delete, or modify data and reformat the hard drive. But, according the security bulletin, this isn't a sure thing. The perpetrator would have to tab someone naive enough to browse a Web site she controlled or open an HTML e-mail that she had sent. Essentially, problems may be avoided by following rules suggested by umpteenth security firms and specialists: don't open attachments or engage in Web browsing from strangers.

Microsoft said as much in the bulletin: "As a general rule, it is probably worth questioning the trustworthiness of any e-mail that automatically starts a file download. The best action is to simply click the Cancel button in the dialogue."

But Microsoft said have no fear because a patch is here. The patch eliminates the vulnerability by correcting the table of MIME types and their associated actions in IE. This blocks e-mails from automatically launching executable attachments.

Still, the dilemma underscores the concerns and questions raised in regard to Microsoft's software products. It was just February when a flaw was found in Microsoft Corp.'s Outlook and Outlook Express (OE) e-mail clients. As the widely-acknowledged king software maker in the country, it is a burden the company has had to bear.

One security expert said that Microsoft's bearing the brunt of a little nagging public relations snafu in announcing the holes as they are presented is minor compared to the headache the company could face if it ignored them altogether.

Dan McCall, executive vice president and co-founder of security consulting firm Guardent Inc., told InternetNews.com Friday that Microsoft's proactive approach in isolating, testing and expounding on the vulnerabilities is refreshing in a day and age when other software vendors (of course, he would not say which)choose to ignore flaws and hope they'll go away.

"The interesting thing about this from our perspective," said McCall, who has worked with the software company often, "is that Microsoft is no more susceptible errors to coding errors than any other software vendor. Their products have millions of lines of code and sometimes the coding process is improper. In fact, in some ways they are less susceptible because what they choose to do is make it public as soon as possible and come up with a patch to nip it in the bud."

Al Wilson, director of security technologies at Guardent agreed, and added that the MIME bug detected this week is more serious than most e-mail holes because it is the browser itself that delivers potentially charged payloads via e-mail.

McCall said he has known Microsoft to design patches for holes within a couple of hours of detecting a fissure. He also said no software maker is immune from such cracks.

"From the coding standpoint, you will always find problems," McCall said. "There are just too many coding lines in software applications. I mean, you can take secure product A and combine it worth secure product B and the combination of the two software packages creates their own set of problems."

McCall also suggested that comprehensive media coverage about Microsoft's so-called security foibles works to the company's advantage as it shows that the company is willing to meet the issues head on.

Still, ever curious hackers have poked and prodded the giant's products to no end, just as good Samaritans such as Cuartango tipped Microsoft off to the vulnerabilities when he unearths them.

A search on Google's engine revealed that Cuartango is responsible for detecting myriad phantoms in Microsoft's software, particularly with respect to IE.

Cuartango has also placed a demo of how the IE 5 MIME vulnerability works on Spanish security site Kriptopolis.