News

IE Vulnerabilities Patched

• By Stephen Swoyer
• 10/11/2001

In a bulletin, which it dispatched to members of its security mailing list, Microsoft indicated that the new patch actually fixes three vulnerabilities that variously affect its Internet Explorer 5.01, 5.5 and 6.0 Web browsers.

According to Microsoft, the first vulnerability has to do with the way in which IE handles URLs that include so-called “dotless” IP addresses. Dotless IP addresses – which are commonly used by spammers --- are 32-bit numbers that resolve into equivalent dotted IP formats.

Because of the way in which IE handles these addresses, Microsoft says, it’s possible that a malicious attacker could send a URL via e-mail or embedded within a Web page to entice a user to click on a malformed dotless IP address. An example would be http://3515228543/ (rather than http://209.134.33.127 or http://www.entmag.com) –- which would then trick IE into opening the site in its less secure “Intranet” zone context.

The software giant claims that an exploit of this kind is mitigated to some extent because the security restrictions associated with IE’s “Intranet” zone aren’t much more relaxed than those which apply to its “Internet” zone, and because the vulnerability affects only IE 5.01 and IE 5.5 and *not* IE 6.0. Microsoft patched a similar vulnerability in IE 4.x in October of 1998.

The next vulnerability – which affects IE versions 5.01, 5.5 and 6.0 – has to do with the way in which IE processes URLs that refer to third-party Web sites. According to Microsoft, a malicious hacker could encode an URL “in a particular way” such that she could include spoofed HTTP requests which would be sent to a third-party Web site.

The software giant allows that if an attacker exploits this vulnerability against a Web-based service, she could “take action on the user’s behalf, including sending a request to delete data.” Microsoft claims that an attack of this could would be “difficult to carry out,” however.

Like the dotless IP address exploit discussed above, the final vulnerability addressed in last night’s security bulletin represents a variation on a once-exploited theme -- in this case, the manner in which IE invokes TELNET sessions. By default, Microsoft says, IE will accept whatever command line options a referring Web site specifies when it invokes a TELNET session.

This particular vulnerability affects only the version of TELNET which ships with Microsoft’s Services for Unix (SFU) 2.0 software (running on either Windows NT 4.0 or Windows 2000). Because the SFU TELNET client includes an option that lets a user create a verbatim transcript of a TELNET session, the software giant acknowledges, it’s possible that an attacker could exploit IE to invoke a TELNET session with its command-line logging switch enabled.

The result would be that she could then “stream an executable file onto the user’s system in a location that would cause it to be executed automatically the next time the user booted the machine,” the security bulletin indicates. The result, of course, is that an attacker could run arbitrary code on a compromised server.

Microsoft stressed that this vulnerability affects only the TELNET client that ships with SFU 2.0. The software giant says that IE versions 5.01, 5.5 and 6.0 are vulnerable to this exploit.