Ziff Davis Internet
News & Resources for the IT Reseller
NewsReviewsTech AnalysisCommentarySecurityLinux/Unix
My Account |  
Home > News > 

IE Exploit Lets Attackers Plant Programs on SP2
By Larry Seltzer
October 20, 2004

Updated: New attack finds yet another leak in local resource security that Windows XP Service Pack 2 and subsequent patches were supposed to plug.


A security researcher has discovered a new exploit for Microsoft Corp.’s Windows XP Service Pack 2 that allows programs to be planted and executed on fully-patched systems.

ADVERTISEMENT

The researcher, known as http-equiv and operator of the malware.com Web site, discovered a weakness in the local security zone of Internet Explorer which, through the use of the HTML Help control, allows security restrictions in the zone to be bypassed.

In combination with a separate vulnerability, in which drag-and-drop operations permit executable content to be placed on the system, the result of the attack is the delivery and execution of potentially hostile code from an external Web site. The researcher provides a proof of concept example on the site.

The drag-and-drop component of the example is surprising in light of Microsoft’s recent patching of a related vulnerability. Thor Larholm, senior security researcher for PivX Solutions, said the Microsoft patch, designated MS04-038, “does not patch the drag-and-drop problem directly—instead it tries to prevent its use by limiting the types of files that can be used in DYNSRC.”

eWEEK.com Special Report: Windows XP Service Pack 2

DYNSRC specifies the address of a media object used in a Web page. “As http-equiv demonstrates in his original post, this restriction could be circumvented,” Larholm said.

The problem is relatively minor and can be patched by Microsoft without too much bother, Larholm said. In the meantime, it can be circumvented by disabling a particular shell object, Shell.Explorer, by setting its “kill bit” in the registry. PivX Inc. is providing a registry fix for doing this on their Web site.

In order to deliver and run the attack code the user must perform a drag-and-drop operation. In a real-world attack, users would probably be enticed with a media file such as an image or music, but the file would contain the attack code, according to a description written by Symantec Corp.

A Microsoft spokeswoman said the company is investigating reports of a vulnerability affecting Windows XP Service Pack 2 and earlier versions of Windows that could enable an attacker to place a malicious file on a user’s system.

“Microsoft is not aware of any customer impact at this time. However we will continue to investigate the issue to determine the appropriate course of action to protect our customers. This might include providing a fix through our monthly patch release process or an out-of-cycle update, depending on customer needs,” she said.

Microsoft also advises customers who have applied the latest Internet Explorer update, MS04-038, to set the “Drag and Drop or copy and paste files” option in the Internet and Intranet zone to “Disable” or “Prompt.” Once this setting is changed, the spokeswoman said, the attack described in the report will not succeed.

In addition, customers who have set their Internet Security zone settings set to high will not impacted by this vulnerability.

Editor’s Note: This story was updated to include additional information from Microsoft.

PointerCheck out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.

horizontal rule

Be sure to add our eWEEK.com Security news feed to your RSS newsreader or My Yahoo page

     
Email


TALKBACK
MICROSOFT RESOURCE CENTER
Free Hands-On Training Lab
Find out how key features of SBS 2003 can help you open up a new line of revenue. Register now >>


SBS 2003 Sales Reference Card
This handy reference card contains features at a glance, sales objection handling, pricing guidelines & more. Get it now >>


Microsoft Empower for ISVs rewards your big idea with big benefits and support.
Access key development tools at a low cost to help you develop that idea into an innovative application. Learn more >>




 
FREE WHITE PAPER
Changing Business for the Better: A Practical Guide to BPM


This paper provides an overview of the benefits of BPM technologies and identifies the characteristics of BPM solutions that lead to successful BPM process-centric integration projects.


Download this free white paper to learn more!

>> brought to you by IBM

Attention Microsoft Solution Providers!



Want to gain a competitive edge? Try Microsoft Watch – FREE!


Each week you receive:
  • Microsoft News and Insider Information
  • Expert Analysis
  • Code Names of Upcoming MS Products
  • Year-Ahead Calendar, updated monthly



    Click Here to sign up now for your FREE 14 Day Trial to Microsoft Watch.
    •  
    Topic Center Index
    Business Licensing Information Technology
    Companies Channels Resellers
    Software Management  

  • Add up to $1,200 of value with the new BONUS PACKS.
  • HP PartnerONE: The key to increasing your margins.
  • HP Compaq nc6129 Business Notebook. $1149 Smart Buy
  • HP xw8200 workstation. Smart Buy price $1549.
  • ProLiant DL360G4p server: HP Smart Buy price $1647
  • Microsoft files new anti-piracy lawsuits. Learn more.
  • New offers with Windows Genuine Advantage.

    		•

    RELATED LINKS

    NEWS

    View All >

    OPINION

    View All >
    POPULAR TOPICS
    More Topics…
    CHANNEL INSIDER BUYER’S GUIDE
    •Catalog Publishing
    •Dealer Management
    •Order Configuration
    •Price Management
    •Sales Management

    View All >

    SOLUTION BUILDER

    View All >
    CAREER CENTER
    Search the jobs you want & get the info you need – post your resume here today!

    Powered by Dice

    TECH ANALYSIS

    View All >

    CONTRACT WATCH

    View All >
    SPECIAL REPORTS
    White Boxes
    MS vs. IBM
    Linux in the Channel
    Network
    CHANNEL RSS FEED
    Stay in the Zone
    Put The Channel Insider on your desktop.
    FREE NEWSLETTERS
    Subscribe to The Channel Insider: Channel News, Reviews, Resources and more.

    Make your selections below:

    Contract Watch

    The Channel Insider Update

    Preferred e-mail format:

    Enter your e-mail:


    view all newsletters >>

    Channel Insider      Contact Us | Advertise | Site Map

    Channel Insider Quick Links

    B2B | Compliance | Competitors | Procurement Contracts | Site Licenses | Microsoft Licenses | Certification | OEM
    Custom PC | IT Sales | Distribution Channels | Service Providers | Turnkey Integration | VAR | Microsoft Resellers
    Computer Resellers | Software Distributors | Business Management | System Integrators | Technology Partners

    Ziff Davis Footer Logo

    Ziff Davis Home | Contact Us | Advertise | Link to Us | Reprints | Magazine Subscriptions | Newsletters | RSS Feeds
    Tech Shop | White Papers | Tech Encyclopedia | PC Downloads | ROI Calculators | Tech Jobs
    Enterprise Product Comparison Guides | Consumer Electronics Buying Guides | Tech Podcasts | Tech Video

    1UP | Baseline | The Channel Insider | CIO Insight | Cranky Geeks | DesktopLinux | DeviceForge | DevSource
    DigitalLife | DL.TV | eSeminars | eWEEK | ExtremeTech | Filefront | GameVideos | GearLog | LinuxDevices
    Linux Watch | Microsoft Watch | PC Magazine | PCMagCasts | PDF Zone | Security IT Hub | Server IQ
    Smart Company | Technoride | Web Buyer's Guide | What's New Now | Windows for Devices

    Use of this site is governed by our Terms of Use and Privacy Policy
    Copyright © 2003-2006: Ziff Davis Publishing Holdings Inc. All rights reserved. The Channel Insider is a trademark of Ziff Davis Publishing Holdings Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Media Inc. is prohibited.