Date: Thu, 22 Aug 1996 15:49:33 -0700 From: Thomas Reardon <thomasre@MICROSOFT.com> Subject: Re: Internet Explorer security problem (Felten, RISKS-18.36)

We have discovered a security flaw in the current version (3.0) of Microsoft's Internet Explorer browser running under Windows 95. An attacker could exploit the flaw to run any DOS command on the machine of an Explorer user who visits the attacker's page.

We now post the virus warning dialog on local files (file: urls). We have always posted it on remote files (http: urls). Note that the root of the problem is not Java or the browser, but in macro-enabled applications. IE3 has a mechanism to warn users about safety of documents when used with common macro-enabled applications. We are have updated Microsoft Word such that by default it will not run macros embedded in documents. -Thomas

---------- Forwarded message ---------- Date: Mon, 26 Aug 1996 01:35:07 GMT Subject: Microsoft Explorer security hole (fwd)

On Sun, 25 Aug 1996 13:55:30 -0600 (MDT), Carl Nation <carl@iserver.com> wrote:

To our Resellers/Customers,

Our sysadmin received this security alert, and we thought we should pass it along...

------- Forwarded Message

Date: Wed, 21 Aug 1996 13:12:59 -0400 From: felten@CS.Princeton.EDU (Ed Felten) Subject: Internet Explorer Security Problem

We have discovered a security flaw in the current version (3.0) of Microsoft's Internet Explorer browser running under Windows 95. An attacker could exploit the flaw to run any DOS command on the machine of an Explorer user who visits the attacker's page. For example, the attacker could read, modify, or delete the victim's files, or insert a virus or backdoor entrance into the victim's machine. We have verified our discovery by creating a Web page that deletes a file on the machine of any Explorer user who visits the page.

The core of the attack is a technique for delivering a document to the victim's browser while bypassing the security checks that would normally be applied to the document. If the document is, for example, a Microsoft Word template, it could contain a macro that executes any DOS command.

Normally, before Explorer downloads a dangerous file like a Word document, it displays a dialog box warning that the file might contain a virus or other dangerous content, and asking the user whether to abort the download or to proceed with the download anyway. This gives the user a chance to avoid the risk of a malicious document. However, our technique allows an attacker to deliver a document without triggering the dialog box.

Microsoft has been notified and they are working on fixing the problem. Until a remedy is widely available, we will not disclose further details about the flaw.

For more information, contact Ed Felten at felten@cs.princeton.edu or 609-258-5906.

Dirk Balfanz and Ed Felten Dept. of Computer Science, Princeton University http://www.cs.princeton.edu/sip/

------- End of Forwarded Message

-- ------------------------------------------ There are no facts, only interpretations. I always wanted to be somebody,