Cybersnot Industries
Internet Explorer Bug
------------------------------------------------------------------------
Internet Explorer Bug 2/27/97 (Version 3.0 (4.70.1155))
Microsoft Internet Explorer v3.01 (and earlier?) has a serious bug
which allows web page writers to use ".LNK" and ".URL" files to run
programs on a remote computer. This bug is particularly damaging
because it uses NO ActiveX, and works even when Internet Explorer is
set to its highest security level. It was tested on Microsoft Internet
Explorer Version 3.0 (4.70.1155) running Windows 95. This demo assumes
that Windows is installed in "C:\WINDOWS". Windows 95 DOES NOT PROMPT
BEFORE EXECUTING THESE FILES.
.URL files are WORSE than .LNK files because .URLs work in both Windows
95 and Windows NT 4.0 (.LNK's only work in Windows 95). .URL files
present a possibly greater danger because they can be easily created by
server side scripts to meet the specific settings of a user's system.
We will provide .URL files for execution in the next day or so.
The "shortcuts" can be set to be minimized during execution which means
that users may not even be aware that a program has been started.
Microsoft's implementation of shortcuts becomes a serious concern if a
webpage can tell Internet Explorer to refresh to an executable. Or
worse, client side scripts (Java, JavaScript, or VBScript) can use the
Explorer object to transfer a BATCH file to the target machine and then
META REFRESH to that BATCH file to execute the rogue command in that
file.
The following table outlines which areas and users each shortcut type
effects:
Command
File Windows Windows Execute Line Searches
Type 95 NT Apps Args Path
Allowed
.LNK Yes No Yes Yes No
.URL Yes Yes Yes No Yes
Security Comparision .URL vs .LNK
Naturally, the files must exist on the remote machine to be properly
executed. But, Windows 95 comes with a variety of potentially damaging
programs which can easily be executed. The following link will start
the standard calculator which comes with Windows 95.
Windows Calculator (.lnk).
Windows Calculator (.url).
This bug can be used to wreak havoc on a remote user's machine. The
following links will create and delete some directories on a Windows 95
machine.
Create a directory "C:\HAHAHA".
Open "C:\HAHAHA"
Remove the directory "C:\HAHAHA"
The META REFRESH tag can be used to execute multiple commands in
sequence. This demo copies a .BAT file into your Internet Explorer
cache and then runs the .BAT file. This .BAT will create a new key in
your registry called "HKEY_CURRENT_USER/Software/Cybersnot". It will
then open your AUTOEXEC.BAT and CONFIG.SYS in notepad. Finally, it will
open REGEDIT so that you can view the key it creates. This demo does
not destroy anything and should not cause any problems on your system.
HOWEVER by clicking below, you are doing so at your own risk and agree
not to hold us liable for any problems which may (but probably won't)
arise.
.BAT Demo
Well! We've made it to the news! Here is what people are saying:
InfoWorld
CNetNews
Washington Post
TechWeb
San Jose Mercury News
And Microsoft says a bug-fix will be available within 48 hours (as of
March 3, 1997) at:
http://www.microsoft.com/ie/default.asp
And have provided a technical update at:
http://www.microsoft.com/ie/security/update.htm
------------------------------------------------------------------------
Internet Explorer Bug
Discovered By Paul Greene
Page and Examples by Geoffrey Elliott & Brian Morin
--I got two turntables and a microphone...
<> tbyars@earthlink.net <>