[ISN] Experts warn of trick to bypass IE download warnings

InfoSec News isn at c4i.org
Mon Jan 17 01:23:39 EST 2005


By Paul Roberts
IDG News Service

A computer security researcher and an anti-virus company are warning
Microsoft customers about an unpatched hole in the company's Internet
Explorer Web browser that could allow a remote attacker to bypass
security warnings and download malicious content onto vulnerable

The warnings came after the hole was identified on the Bugtraq
Internet security discussion list by someone using the name "Rafel
Ivgi." The hole affects Internet Explorer (IE) version 6.0.0,
including the version released with Windows XP Service Pack 2. The
vulnerability allows malicious attackers to bypass warnings designed
to inform users when a file is being passed to their computer using a
specially-crafted HTML Web document.

Microsoft was not able to comment on the hole in time for this story.

Security software company Symantec issued a vulnerability alert about
the hole Friday and cited Ivgi, which also provided code proving that
the hole existed.

According to the Bugtraq message and Symantec alert, an IE feature
designed to catch references to file downloads does not detect a
particular HTML event, known as "onclick," when it is combined with
the common HTML tag, which designates the beginning and ending of the
main part of a Web page.

Malicious Internet users could use the onclick event in combination
with another function called "createElement" to create an IFRAME, or
"inline frame," which is an HTML element that allows external objects
to be inserted into another HTML document. Attackers could link the
IFRAME to a malicious Web page that downloaded a malicious file to the
user's computer when the page was clicked on, without generating a
warning in the Information bar, Symantec said.

There is no patch available for the new hole, and no specific exploit
code is required to take advantage of the hole, Symantec said.

IE users are advised to avoid links provided by unknown or untrusted
sources, to keep from being lured to a malicious Web site. IE users
can also configure the browser to disable the execution of script code
and active content, though doing so could have adverse effects on the
way IE functions, Symantec said.

The news comes just three days after Microsoft issued software patches
for several serious Windows security holes and released a new tool
that lets users remove malicious software from their PCs, and amid
increasing competition in the Web browser market from the Mozilla
Foundation's Firefox browser.

On Tuesday, the Redmond, Wash., software company published security
bulletins and patches for two critical holes, one in the Windows HTML
Help system and the other in Windows code that handles cursor,
animated cursor and icon formats.

More information about the ISN mailing list