COMMAND

    Internet Explorer 3.0

SYSTEMS AFFECTED

    Win '95, Win NT, Win '97 (Memphis)

PROBLEM

    Initial  discovery  for  this  vulnerability  is  by  David   Ross
    [Widdle  Doggie  Now!]  Help  was  obtained  from Dennis Cheng and
    Asher Kobin.

    On certain machines running Internet Explorer 3.0, an icon can  be
    embedded within a  web page.   When double-clicked, this  icon may
    run a remote application without warning.  This is not the same as
    the ".LNK and .URL" bug discovered recently.  Be very afraid.

    The problem  is significantly  more serious  if the  user is  on a
    platform with CIFS  (Windows NT 4.0  with Service Pack  1 or later
    installed).  If  this is the  case, the location  of the malicious
    executable  code  to  be  run  on  the  victim's  machine could be
    anywhere on the Internet.  If  this is not the case, the  location
    of the  machine containing  the code  is restricted  to within the
    scope of Windows name resolution.   For example, the host must  be
    either on the  same subnet, listed  in the victim's  LMHOSTS file,
    or listed on the victim's WINS server.

    Working examples of  this bug are  provided on a  separate page on
    the page that pointed out this vulnerability.  Please check out:

        http://dec.dorm.umd.edu/index.htm

    Note  about  this  separate  page.   Separate page because Windows
    name resolution often forces Internet Explorer to block for 10  to
    15 seconds. If this happens,  just wait it out, your  computer has
    not crashed. If you are using Internet Explorer on a machine  that
    doesn't have CIFS, the wait period may be significantly longer  in
    order for Windows name resolution to time out. It should be  noted
    however that CIFS is required for these examples to function.

    Internet Explorer enables a user to use a URL describing a  remote
    directory.  When a user clicks on such a link, they are brought to
    what  is  essentially  a  Windows  Explorer  window, but inside of
    Internet Explorer.If this URL is used as the basis for an <IFRAME>
    tag, an embedded frame can  be created with what is  essentially a
    Windows Explorer  window inside.   If this  window is  made  small
    enough, it appears  to be some  sort of button,  one which runs  a
    remote program when double clicked.  CIFS allows a machine to  use
    the IP or hostname provided in the URL as a way of contacting  the
    remote host containing the executable.

SOLUTION

    Microsoft was contacted and they made a fix.  You can download
    fix at following address:

        http://www.microsoft.com/ie