Proactive IT Security
 

Infections from opening e-mails and browsing the web

[Spreading mechanisms]

Security Information  Week 45, 1999

The Security Information for week 43 discussed several vulnerabilities which were possible to exploit due to problems with the functionality in Internet Explorer, called Active Scripting. This week we will take this even further and show how users may be exposed to infections from malicious programs by opening an e-mail and even by surfing the web.

An example of what could be accomplished by exploiting these vulnerabilities was exemplified by 8 November, when the Norman's virus analysts got the first program which was able to infect when an e-mail was read. Read more about this worm, VBS/Bubble, in this document.

The exploits which is discussed this week, rely on the following conditions being met:

  • Internet Explorer version 5 is installed.
  • Windows Scripting Host is installed. This is default in Windows 98 (and Windows 2000 beta) and may be installed optionally in other operating systems, e.g. when Internet Explorer version 5 is installed.
  • Security Settings for the Internet Zone is not set to High (default is Medium).
  • Active Scripting is set to Enabled (default).
  • The patch from Microsoft which corrects the vulnerability is not installed.

It is probably safe to assume that literally millions of PC users meets these requirements, thus being exploitable.

The vulnerability utilizes an ActiveX control called scriptlet.typelib which exists on PCs configured as described above. This ActiveX control is marked as "safe for scripting", which means that it can be executed from a program, e.g. Internet Explorer, without user approval. 

However, this control may be used to create, delete or modify files on the user's PC, and to execute operating system commands. This ActiveX control may be started from any web page and users browsing that web page with Internet Explorer are vulnerable. It may further be started when a user receives an e-mail and uses Outlook or Outlook Express as the e-mail client.

Consider a scenario like this:

  • A person creates a malicious web page as described above and persuades other persons to visit that page.
  • A lot of persons with PCs configured as discussed here, visit that URL.
  • Without their knowledge they are infected by a virus, a worm, a trojan horse (e.g. a Windows BackDoor program), etc.
  • Depending on the malicious program this may have a disasterous effect on the user's PC (e.g. deletion of all files), the organizations network (e.g. propagation of a virus) or on the Internet itself (e.g. a Meliss- like situation).

So far the only malicious program which utilizes this vulnerability, is the worm VBS/Bubble, which is not in the wild when this is written. However one may fear that other programs which use this now known technique, may appear.

To prevent yourself from being exposed to the particular vulnerability discussed here, one or all of the following may be applied:

  • Install the patch from Microsoft which eliminates this vulnerability. More information about the patch and the vulnerability is available in Microsoft's Security Bulletin MS99-032.
  • Change the security settings in Outlook or Internet Explorer for the Internet Zone to high.
  • Disable Active Scripting in the Internet Zone. How to disable Active Scripting is described in Norman's Security Information for week 43.

Per Olav Førland