Bug Opens Microsoft IE to HTML .exe Attachments

In the latest in the long line of security dilemmas, Microsoft Corp. said
Friday a hole had been detected in its Internet Explorer browser in which a
hacker could allow a malicious page or e-mail to perform any action on a
computer.


The vulnerability affects IE 5, IE 5.5 over all Windows platforms. The hole,
brought to the software giant’s attention by Juan Carlos G. Cuartango of
Spain, was detailed in a security bulletin.
Basically, a false Multipurpose Internet Mail
Extensions
(MIME) header can cause IE to execute an e-mail attachment to
wreak havoc on a PC. Because HTML e-mails are Web pages, IE can render them
and open binary attachments in a way that is appropriate to their MIME
types.


But a flaw exists in the type of processing that is specified for certain
unusual MIME types. For example, if a attacker created an HTML e-mail
containing an executable attachment, and modified the MIME header
information to specify that the attachment was one of the unusual MIME types
that IE handles incorrectly, IE would launch the attachment automatically
when it rendered the e-mail.


Basically, a user with the knowledge to exploit the vulnerability could drop
a hostile HTML e-mail on a Web site and coax a user to visit it. Code page
could open the mail and initiate the executable. Or, if the hacker is so
inclined, he or she may send the HTML mail directly to the user. The latter
of the two possibilities is potentially less serious, as attachment would be
limited by a user’s permission.


Worst case scenario: a malicious user can run any program on someone else’s
computer. He or she would have the power to add, delete, or modify data and
reformat the hard drive. But, according the security bulletin, this isn’t a
sure thing. The perpetrator would have to tab someone naive enough to browse
a Web site she controlled or open an HTML e-mail that she had sent.
Essentially, problems may be avoided by following rules suggested by
umpteenth security firms and specialists: don’t open attachments or engage
in Web browsing from strangers.


Microsoft said as much in the bulletin: “As a general rule, it is probably
worth questioning the trustworthiness of any e-mail that automatically
starts a file download. The best action is to simply click the Cancel button
in the dialogue.”


But Microsoft said have no fear because a patch is here. The patch eliminates the vulnerability by correcting the
table of MIME types and their associated actions in IE. This blocks e-mails
from automatically launching executable attachments.


Still, the dilemma underscores the concerns and questions raised in regard
to Microsoft’s software products. It was just February when a flaw was found in Microsoft Corp.’s Outlook and Outlook Express (OE) e-mail
clients. As the widely-acknowledged king software maker in the country, it
is a burden the company has had to bear.


One security expert said that Microsoft’s bearing the brunt of a little nagging public relations snafu in announcing the holes as they are presented is minor compared to the headache the company could face if it ignored them altogether.


Dan McCall, executive vice president and co-founder of security consulting firm Guardent Inc., told InternetNews.com Friday that Microsoft’s proactive approach in isolating, testing and expounding on the vulnerabilities is refreshing in a day and age when other software vendors (of course, he would not say which)choose to ignore flaws and hope they’ll go away.


“The interesting thing about this from our perspective,” said McCall, who has worked with the software company often, “is that Microsoft is no more susceptible errors to coding errors than any other software vendor. Their products have millions of lines of code and sometimes the coding process is improper. In fact, in some ways they are less susceptible because what they choose to do is make it public as soon as possible and come up with a patch to nip it in the bud.”


Al Wilson, director of security technologies at Guardent agreed, and added that the MIME bug detected this week is more serious than most e-mail holes because it is the browser itself that delivers potentially charged payloads via e-mail.


McCall said he has known Microsoft to design patches for holes within a couple of hours of detecting a fissure. He also said no software maker is immune from such cracks.


“From the coding standpoint, you will always find problems,” McCall said. “There are just too many coding lines in software applications. I mean, you can take secure product A and combine it worth secure product B and the combination of the two software packages creates their own set of problems.”


McCall also suggested that comprehensive media coverage about Microsoft’s so-called security foibles works to the company’s advantage as it shows that the company is willing to meet the issues head on.


Still, ever curious hackers have poked
and prodded the giant’s products to no end, just as good Samaritans such as
Cuartango tipped Microsoft off to the vulnerabilities when he unearths them.


A search on Google’s engine revealed that Cuartango is responsible for
detecting myriad phantoms in Microsoft’s software, particularly with
respect to IE.


Cuartango has also placed a demo of how the IE 5 MIME vulnerability works on
Spanish security site Kriptopolis.

News Around the Web