Last Update: 1998-11-28
IE 4.0 and/or Compaq has security bug that allows remote users to run commands on local machine.
Win98, IE 4.0, America On-Line (AOL), Microsoft Network (MSN)
Note: So far, this problem has been demonstrated on the Compaq OEM version of Windows 98, which includes IE 4.0. It is not clear yet what the scope of the problem is. See Feedback, below.
We have discovered a secrious security problem it Internet Explorer 4.0 running on Windows 98. We were attempting to re-install a Compaq Presario 1810 laptop. The Compaq laptop uses the browser (IE 4.0) under Win98 to perform system administration facilities. One of the options in a (local) web page was "reboot system", another was "reinstall system".
We were concerned that significant, potentially abusive system access was permitted through the browser. With a little experimentation (but not actually wiping the disk yet), we discovered that it is possible to access Windows commands directly via the browser. We inspected the HTML files (see below for a copy of the files) and discovered Windows commands embedded in the HTML. Apparently, the HTML calls Javascript which invokes a Java applet which then can run any program on the local computer.
We tried this in Netscape Communicator 4.5 on the same laptop, which balked. We were unable to recreate the problem in Netscape.
We added the ActiveX plug-in by NCompass to Netscape, but still were unable to recreate the problem in Netscape.
We tried creating the problem on Windows 95, but were unable to.
IMPORTANT: This problem may exist on Windows 95, we were unable to recreate the problem with limited experimentation.
We thought this problem might exist only because the files were local. Not true. We uploaded the files onto a web sever, loaded the remote URL, and caused our laptop to execute commands.
We modified the HTML and Javascript and were able to choose any program to run.
The applet was "signed" by Verisign.
It's not clear yet how the signed applet is related to additional and/or insecure access to the system.
IMPORTANT: This means that any command can be silently run on a user's computer, including: formatting the disk drive (verified), rebooting your computer (verified), silent upload/download (simulated) of any of the user's files.
We also verified that commands can be run with parameters -- an important feature because it allows, potentially, more destructive behavior with less setup.
IMPORTANT: In effect, this security hazard doesn't require the user to download viruses onto the computer -- the viruses (normal windows commands) are already there.
Analysis: This appears to be a significant security hole, which are the default settings for Win98 installations. The user's privacy may be silently compromised just by surfing the net with IE 4.0. It appears that the main flaw is the ability to use ActiveX controls and/or commands directly through the IE 4.0 browser.
Recommendations:
We've reached the limits of experimentation techniques. Further experimentation would require significantly more effort and is better performed by the Compaq (laptop manufacturer) and/or Microsoft (browser vendor and operating system vendor).
We've copied all the files into the following directory:
http://www.farance.com/etc/ie40-security-bug-19981120/sample-files
IMPORTANT: IT IS NOT CLEAR WHAT EFFECT THE FILES WILL HAVE ON YOUR COMPUTER, SO DOWNLOAD AT YOUR OWN RISK.
The file "fwqrcd.html" is the original file where the problem was discovered. The files "testjunk.html" and "testjunk1.html" show calling a command and a command with a parameter. We've chosen harmless commands in "testjunk*".
We're received the following responses:
We are reporting this problem to CERT and Microsoft.
For further information, contact:
Frank Farance
Farance Inc.
E-mail: frank@farance.com
Phone: +1 212 486 4700
Fax: +1 212 759 1605