COMMAND

    IE

SYSTEMS AFFECTED

    Internet Explorer 5.0 HTML Applications

PROBLEM

    Bryan  Batchelder  found  following.   He  recently  ran accross a
    feature  in  Internet  Explorer  5.0  (Win32  only) which is not a
    threat per se, but might possibly be dangerous if not known about.
    IE 5 treats any  file with the .hta  extension as a fully  trusted
    web application, and as such  can do anything to your  system that
    it wants.  The  danger in this is  for an uneducated user  to come
    accross one  of these  and execute  it under  the false impression
    that since it is  not a .exe or  .com it cannot execute  arbitrary
    code on the machine.  No one heard of this being exploited, but in
    Bryan has been  writing VBScript that  can nuke the  filesystem or
    send email as the user via Outlook (unknown to the user).

    When IE5 encounters  an HTA it  prompts you if  you would like  to
    "Open from its current location" or "Save to hard disk" just  like
    it  was   a  normal   executable  file.    HTAs  stand   for  HTML
    Applications, and have full access to the system registry and  any
    COM/DCOM objects in the system.

    Steve Posick and Jesse Raccio worked up a demonstration for  their
    security personal to demonstrate the possible threat.  The HTA  we
    developed displays a pop up frame that contains some trivial  text
    and a VBScript that will  download an executable from a  specified
    web site  and place  it into  the Win98  startup group  as well as
    upload any .PWL  files that exist  in the Windows  Root directory.
    This  application  works  by  using  the IE 5 and FileSystemObject
    Active  X  controls  and  some  very  simple scripting.  The first
    thing the HTA does is use IE to view an exe file (renamed to a txt
    extension) on  the remote  web server.   This places  the exe into
    IE's  cache  for  later  retrieval.   They  had to do this because
    Microsoft has apparently  gone through (not  so) great lengths  to
    prevent the writing of binary files through HTA's.  They then  use
    the FileSystemObject to move and  rename our cached exe to  a more
    suitable location  (In this  case that  startup directory).   This
    same technique  can be  used to  trojan any  file the current user
    has access too.  We have  no reason not to believe that  this will
    also work on NT.

SOLUTION

    To remove the association between .hta and HTML applications,  you
    can do the following:

        1. Open up Windows Explorer (i.e. double click on "My Computer")
        2. Go to View -> Folder options, go to the 'File Types' tab
        3. In the 'registered file types' selection box, pick 'HTML Application'
        4. Click remove.

    There  is  also  a  command  line  tool in the resource kit called
    associate.  It might help people who  want to do this to a lot  of
    machines.

    Disable File Downloads or disassociate .HTA files from  MSHTA.exe.
    Disabling scripting does not stop this, it is dee to the fact that
    the HTA is already on the  local system at the time of  execution,
    thus making it trusted.  The  reason for this can be found  in the
    MSDN.  It specifically states that HTA's, once run from the  local
    hard drive or executed from the Internet are considered completely
    trusted applications and not  under an security restrictions  that
    IE4>= is under.  In fact, an HTA could download an arbitrary  Java
    application and  run it.   HTA's can  be very  dangerous if  users
    aren't taught  to not  run an  HTA from  the web  or to  let it be
    downloaded to a local hard drive.