E-mail from Russ Cooper, 1998-11-28

From: Russ <Russ.Cooper@rc.on.ca>
To: 'Frank Farance' <frank@farance.com>
Cc: "'cert@cert.org'" <cert@cert.org>,
        "'secure@microsoft.com'"
	 <secure@microsoft.com>
Subject: RE: More info in IE 4.0 security problem
Date: Sat, 28 Nov 1998 11:58:00 -0500
Importance: high
X-Mailer: Internet Mail Service (5.5.2232.9)

sqrcdapp.cab, which presumably, is the applet which you have found an
"exploit" in, is not a Microsoft applet, it belongs to Compaq. It does not
ship with Microsoft's IE, or Microsoft's Windows '98, it is supplied by
Compaq (presumably as part of their OEM distribution of Windows '98).

Ergo, IE does not have a security exploit, Compaq's applet does.

This will not affect uses of IE, Win95, Win98, or NT, who do not have
Compaq's applet.

I went to your page;

<http://www.farance.com/etc/ie40-security-bug-19981120/sample-files/fwqrcd.html>

and on 1st run on my non-Compaq Win98 machine (default security
installation), I got the following error message;
-------
Internet Explorer Script Error
An error has occurred in the script on this page.
Line:		21
Char:		5
Error:	Object doesn't support this property or method
Code:		0

Do you want to continue running scripts on this page?
-------

To which I answered "No".

While that error was displayed, the IE Security Warning dialog box appeared
containing Compaq's Authenticode Certificate for the applet. It is, indeed,
a validly signed Compaq Authenticode Certificate asking for "Full
Permissions" on the box. I suspect that the applet is designed to be the
equivalent of a system tool (which Compaq have supplied before and
installed, usually, by default).

I accepted the Certificate but nothing further happened (presumably because
I told the script I didn't want it to continue running).

I did a Refresh, and proceeded to click on your "Start" button (labled: "The
START button will restart your computer.") on your web page. I received a
dialog box saying "Please make sure the Compaq Quick Restore CD is in the
CDROM drive." I clicked "Ok" and nothing happened.

I rebooted, started IE (which starts at a blank page), went into
View/Internet Options/Temporary Internet Files, and clicked "Delete
Files"...thereby clearing my cache.

I then went, once again, to your page;

<http://www.farance.com/etc/ie40-security-bug-19981120/sample-files/fwqrcd.html>

This time, there was no jscript error. I was, once again, prompted to accept
the Compaq Certificate, which I did. I clicked on your "Start" button and
received the dialog "Please make sure the Compaq Quick Restore CD is in the
CDROM drive." again. I clicked "Ok", again, and nothing happens.

If there is an exposure here, its an exposure on Compaq Systems
pre-installed, or re-installed, with Compaq's Windows '98. I would, however,
also ask whether or not, during the Compaq installation, there is an option
to install something like "Compaq System Utilities". Its possible that if
such an option exists, only when that option is installed do these applets
get installed "properly". This is just speculation.

Whatever the case, you have incorrectly labeled this as an Internet Explorer
Exploit. A similar "exploit" was found with a Symantec applet some time ago.
If the Vendor incorrectly labels an applet as scriptable in a way that
allows non-system, or users, to invoke it without some sort of protections,
then it may be possible for it to be exploited by non-trusted individuals.

I'm not sure who you've reported this to, but I would suggest you consider
providing them an update with a more accurate description of the issue.

Cheers,
Russ Cooper
Owner/Moderator of NTBugtraq