COMMAND

    HTAs

SYSTEMS AFFECTED

    IE 5.0 (others?)

PROBLEM

    Jesse Noller set up an NT box, with just the basic setup, no other
    modifications, other  than SP5,  and an  installation of  Internet
    Explorer 5.0 and found following.   He was pondering writing  some
    HTAs  (HTML  Applications)  for  my  web-design  business  when he
    thought about the  relationship between IE  5.0 and HTA's.   After
    some testing with different types of code and operating systems, a
    certain realization occured to me.

    One of the main advantages of HTAs over regular Web pages, is that
    they are fully  trusted.  As  such, HTAs are  allowed actions that
    Internet  Explorer  would  never  approve  of  for Web pages.  The
    bottom line is that HTAs do not bother the user with questions and
    interruptions.  They  are  *fully*  trusted.   There  are  several
    implications  for  being   a  trusted  application.    HTAs   have
    read/write access to  the system registry  on the client  machine.
    HTAs run embedded  ActiveX controls and  Java applets without  any
    warning.  Zone security is off for HTAs, so all operations subject
    to security zone options are nevertheless permitted for HTAs.  So,
    one may  program a  VB program  set to  nuke certain  system files
    (Virus Scan system files, Ini's, even registry keys), attaching it
    to an installshield wizard.   So, instead of allowing the  typical
    user to  download and  run the  program, where,  possibly, hostile
    code, and program might  otherwise be discovered, you  simply say,
    "Please run this application from the current location".  Although
    advanced users would know better,  this is becoming the norm,  so,
    many users might not.  Bad guys have now opened the door, inserted
    evil code, and destroyed your data.

    Now,  when  running  something   like  this  under   administrator
    privileges in  NT, not  only does  it open  the registry,  but the
    entire system.  Simple trojans  like netbus can then be  installed
    without  end-user  knowledge.   It  can  also  allow  for theft of
    encrypted data and password files.  Although precautions for  this
    can be taken, many user  might not know.  Microsoft  has end-users
    execute them also.  This security hole affects all versions of win
    9x/NT.

    Main testing  simply consisted  of downloading  multiple types  of
    virus  scanning  utilities,  installing  them,  then  building the
    Installshield, and attaching  Netbus and a  hostile VB program  to
    wipe out viruscan system  files, reboot the machine,  and continue
    the install.   Jesse then programmed  the HTA, and  executed it on
    more Win box.   Netbus was succsessfully installed,  giving system
    access.  However,  this has been  done logged in  as Admin.   Many
    people  might  not  do  this  on  console  regularly, but many do.
    Lower than IE5.0 was not yet tested.

SOLUTION

    First of all, admin should  never browse and security zone  should
    handle this properly somehow.