COMMAND
MS Internet Explorer 3.x, 4 (beta)
SYSTEMS AFFECTED
Win '95, NT
PROBLEM
Following info is based on:
http://web.mit.edu/twm/www/expbug2/
This bug allows a hostile web page to write to the hard drive of
users that view that page. The content of what is written is not
easily controllable, and therefore this bug could not be used to
introduce viruses onto a user's computer. However, this bug can
be used to corrupt files simply by over-writing them with garbage,
thus making it simple to corrupt a user's hard drive.
In order to corrupt a file the hostile web page would also need
to know the name of the file that it wants to corrupt. However,
this lessens the severity of the bug very little because if you
are running Windows there is a good chance that you have all of
the following files, all of which would cause you great misery if
corrupted:
C:\autoexec.bat
C:\windows\explorer.exe
C:\windows\system.ini
...well, you get the picture. A hostile web page could just start
writing to a large list of very common files (similar to the one
above) and if the file already exists it will be corrupted (if it
didn't exist, it will be created which could also potentially
cause problems).
Finally, this bug is completely silent and it can easily run in
the background as soon as a web page finishes loading without the
user ever suspecting a thing until it's too late.
Microsoft Internet Explorer 3 and Microsoft Internet Explorer 4
running on Microsoft Windows 95 are both vulnerable, although not
all copies of Internet Explorer 3.0 are vulnerable. Internet
Explorer 3 requires additional components to be installed for
this bug to pose a threat while these components ship standard
with Internet Explorer 4 on Windows 95. Furthermore, several of
these components changed names between the release of IE3 and IE4
so the same scripts that work in IE4 need some minor
modifications to work in IE3 and vice versa, however a web page
could easily contain an exploit for both browsers.
This bug is present because of Microsoft's proprietary extensions
to Java. This is not a bug in Java, it is a bug in Microsoft's
extensions to Java. Java's sandbox security model seems to be
working well, but Microsoft has essentially built a ladder out of
the sandbox which has left Internet Explorer with a defective
sandbox. Credit goes to Tim Macinta.
Macinta has posted a demo of his program on the Web at:
http://web.mit.edu/twm/www/expbug2/
SOLUTION
IE 4 (non beta) should be safe. Microsoft was informed of the
problem and they stated that they already knew about the bug and
have fixed it in their internal builds. You can probably assume
that the patch will be available in the final release of IE.
Microsoft will not be releasing a patch for the bug since it
mainly affects their beta software. The bug will be fixed in the
final release version of IE4 due out at the end of September
1997. Until then you can protect yourself from this bug by
disabling Java in Internet Explorer (Java in other browsers is
not affected and does not need to be disabled).
This bug does affect the Windows NT version of IE, but not the
Windows 3.1 or the Macintosh versions according to Microsoft and
other sources.