Bug Triad Whacks Internet Explorer
To prove that no security bug is truly harmless, a security group has stitched together two minor flaws in Microsoft's Internet Explorer 6.0 browser with a small glitch in Windows Media Player to create one seriously powerful attack.
By coaxing IE users to view a Web page containing the special code, an attacker can silently force Windows 98, Windows 2000, or Windows XP users to run a malicious program of the attacker's choice.
The security group, Malware.com, has created a harmless demonstration of the flaw which downloads and runs an executable program that fills the victim's computer screen with flames.
A Malware.com member who uses the nickname "Http-equiv" says he named the vulnerability "Stench" to dramatize why it's dangerous for Microsoft to downplay and delay patching security bugs that it considers minor.
"Their patching tiny pinprick holes and not the overall problems, their mitigating factors, their ignoring small demonstrated flaws, all add up into a monster problem, which basically stinks," said Http-equiv in an e-mail interview Tuesday.
Internet Explorer currently contains at least 18 security bugs, many of them low-risk annoyances. Because it allows an attacker to run code on a victim's machine, Stench is the most serious security issue currently facing IE, according to Thor Larholm, a researcher with Pivx Solutions who tracks IE vulnerabilities.
Larholm said the information provided in the Malware.com advisory could easily be used to create a harmful exploit.
"Follow the steps and you're done. I could let my 12-year-old cousin do this," said Larholm, who added that because all three bugs have been known to Microsoft for many months, Malware.com's release of the information was "by the book" and does not constitute what Microsoft calls "irresponsible disclosure."
A Microsoft representative said the company was currently studying the report and would take appropriate action.
Company Patchwork Faulted According to Http-equiv, the exploit depends in part on a known quirk in how Microsoft's media player handles self-extracting Windows Media Download (WMD ) files.
"If we can place our 'goodies' inside the .wmd file and have the player unpack it, we now have arbitrary code on the target computer," said Http-equiv.
Using a year-old IE bug known as the "codebase local path" vulnerability -- a bug that was only partially fixed by Microsoft last March -- the Stench exploit is able to unpack and execute the malicious code without triggering IE's security settings, he said.
According to Larholm, a major update to Internet Explorer known as IE6 Service Pack One could include fixes for numerous bugs, including those exploited by Stench. Microsoft quietly released SP1 to its download servers in late August but removed the upgrade shortly afterwards without explanation.
On August 22, Microsoft issued a cumulative patch for IE that addressed several severe bugs did not include complete fixes for the codebase localpath and numerous other vulnerabilities, Larholm said.
Malware.com's Stench advisory, posted to security mailing lists on August 21, concluded with the following statement: "Instead of sitting around trying to thinking up ways that all these things cannot work, simply fix it the first time round. There is no such thing as 'mitigating factors' and 'hurdles'. This is a lie. Pure fantasy. Fiction. Fix it when you can! For every way you think it cannot be done, there are 10 ways it actually can!"
By Brian McWilliams
To continue reading this article you must be a Bloomberg Professional Service Subscriber.
If you believe that you may have received this message in error please let us know.