OT: Disturbing Internet Explorer Exploit/Security Flaw (Scary)

[Mike M.]

Notepad pop-ups without scripting, and possibly other program
execution. Easily exploited, and for now the only fix is to change to
another browser.

http://www.techspot.com/
http://computerbytesman.com/security/notepadpopups.htm
http://msgs.securepoint.com/cgi-bin/get/bugtraq0308/55.html

Mike

 

[Karl Levinson [x y] mvp]

I could be wrong, but with the information presented here, I don't see this
as a big security flaw. There are already plenty of ways to do pop-ups, or
to DoS a box by doing tons of pop-ups that consume resources.

 

[3c273]

Notepad pop-ups without scripting, and possibly other program
execution. Easily exploited, and for now the only fix is to change to
another browser.

http://www.techspot.com/
http://computerbytesman.com/security/notepadpopups.htm
http://msgs.securepoint.com/cgi-bin/get/bugtraq0308/55.html

Mike

Does anyone know how to write a Proxomitron filter for this?
Louis

 

[Alan]

Notepad pop-ups without scripting, and possibly other program
execution. Easily exploited, and for now the only fix is to change to
another browser.

Or use something like Proxomitron. This silly and annoying, but rather
benign exploit that I didn't know about, gave me a chance to write my
first Prox filter:
"view-source:" -> "noview-source:" within the HTML tags.

Works like a charm.

 

[John Hunter]

e.g. You "can tell Notepad to editted the
system file c:\windows\system32\shell32.dll and 20 megabytes of virtual
memory is consumed". My system tells me that the file is too big for
Notepad to open.

Windows 9x (and probably ME) notepad can't handle files over a certain
size. NT-based versions handle much larger files. I'd guess you're
running one of the former.

 

[DC]

Totally agree.

Of course, you do. I would have been disappointed if you didn't.

The link at:
http://computerbytesman.com/security/notepadpopups.htm
is your typical "hype" page, suggesting all sorts of scenarios that are
either doubtful or wrong. e.g. You "can tell Notepad to editted the
system file c:\windows\system32\shell32.dll and 20 megabytes of virtual
memory is consumed". My system tells me that the file is too big for
Notepad to open.

And you're *happy* about that? Okay, whatever.

http://m0053m4n.tripod.com/misc/screenshot.png

And why use a plaintext "popup" for spam? I'd put it in the message body
if I were so inclined.

How conveniently you focus on the spam angle while completely ignoring the
obvious danger of launching executables on a user's system without warning or
permission and facilitating the corruption of critical system and/or
configuration files?

I guess this is acceptable to you.

 

[Alan]

... Not that I'm claiming you're wrong about any of the points you
made, just mentioning that Notepad works differently on NT/2K/XP than
95/98/ME, so your results may vary. That's all.

Thanks for the info John. And no, I hadn't realised that the NT variety
of notepad was different; not that it is really significant, as you say.
The end result is the same as the user (accidentally) opening such a
large file. Some security concern... scary???

BTW, love your tag lines. Do you use some sort of random quote
collection?

 

[Alan]

I can't seem to get this to work! (Which is why I requested one.) The
log window says it is matching but nothing is being replaced. Hmmm?
Louis

I didn't see your post before I posted the above, sorry. From what you
say, I'd guess you're reloading a cached copy of the offending/
offensive page. Try using Ctl + F5 or Ctl + Refresh to fetch a new copy
from the server and see if the HTML has been suitably altered.

What expressions have you used in the filter dialog BTW? I'm totally new
to this, so I'm probably using something far from optimal.

 

[DC]

More information on the "obvious launching of executables" and
"corruption of critical system and/or configuration files" would no
doubt be appreciated by the many here who use IE. Please post.

What is the point? You don't believe anything unless it comes printed on
Microsoft Corp. letterhead.

I guess that ignorance truly *is* bliss.

Jump, little lemming! Jump!

*THUD*

 

[Alan]

Well, thanks for that informative post.

Of course, your ad hominem attacks don't address the fact that the
only application which can be opened via this "obvious danger", as
you put it, is notepad, and that it's not "facilitating the
corruption of critical system and/or configuration files" (once
again, as you put it) at all, but simply opening a file.

He probably couldn't figure that one out ... or maybe he could and
realised what a dork he appeared in his *original* ad hom post. I love
the lines "What is the point?" and "ignorance truly *is* bliss" !

Unless you can provide an example of this "obvious danger" being
used in a manner which leads to something other than the opening of
a file in notepad, it seems fairly obvious to me that all you have to
stand on are weak ad hominem attacks, and no technical details to
speak of.

That was also my only humble request in the post that got attacked. But
like those of his ilk, he decided that the best form of defense was
attack - hence the ad hom outburst. Hang about long enough and you'll
find a few more in this club, who just hate it when misinformation about
"you know who" is exposed as the hyped up, ignorance-based propaganda
that it actually is.

And if you're new, welcome to ACF

 

[Alan]

What is the point?

The point would be to demonstrate to all the IE users the nature of the
great danger they are in... as some helpful input to the ACF community.

<snip pathetic ad hom attempt at evading the issue>

 

[John Hunter]

Thanks for the info John. And no, I hadn't realised that the NT variety
of notepad was different; not that it is really significant, as you say.
The end result is the same as the user (accidentally) opening such a
large file. Some security concern... scary???

Yeah, opening text files with Notepad is REALLY scary. I break into a
sweat every time I do it, trying to imagine all the viruses, worms,
and trojans I can catch that way.

BTW, love your tag lines. Do you use some sort of random quote
collection?

Yep. I collected taglines for several years, and then recently set up
Kookie Jar to pull them out at random. I think I have total about 1500
taglines, including parts of other peoples' collections . And I'll
still occasionally grab a good one when I see it and add it to the
collection.

 

[Alan]

Doh! Forgot to try the simple solution first as I was "positive"
there was something wrong with my filter. Thanks!

Glad it worked Louis. Care to share your filter?

 

[Karl Levinson [x y] mvp]

Yeah, opening text files with Notepad is REALLY scary. I break into a
sweat every time I do it, trying to imagine all the viruses, worms,
and trojans I can catch that way.

Am I missing something? How could this be risky?

 

[null]

But that prevents you from using the view-source feature of your
browser, I presume. I use view-source all the time to investigate
allegedly "bad" web sites (using Mozilla). Just use a Moz based
browser and forget about all this nonsense

Art
http://www.epix.net/~artnpeg

 

[dkg_ctc]

Well, thanks for that informative post.

Of course, your ad hominem attacks don't address the fact that
the only application which can be opened via this "obvious
danger", as you put it, is notepad, and that it's not
"facilitating the corruption of critical system and/or
configuration files" (once again, as you put it) at all, but
simply opening a file.

[snip]

If one were to take the trouble to actually _read_ the referenced
web page, they would see this:

<q>
# A simple email HTML message or Web page can easily open
thousands of windows causing system stability problems. For
example, a single <IMG> tag can tell Notepad to editted the system
file c:\windows\system32\shell32.dll and 20 megabytes of virtual
memory is consumed. A 100 <IMG> tags would consume 2 gigabytes of
virtual memory.

# A Windows system could become corrupted if a user accidentally
changes the contents of a system file which appears in Notepad
popup window and then saves these changes because they don't know
any better. </q>

Seems plausible to me.

To me, it seems possible, but not plausible. What happens in most
cases with popups? They close the windows. Why would a popup from
notepad be any different?

Stop thinking of "danger" in the same sense as viruses are
dangerous to Windows systems. Instead, consider a 65 y/o
relative, clueless about computers, who has his boot.ini or some
other system config-type file open up suddenly. One wrong move
(i.e. a key press here or there changes the file) before closing
the window and answering "yes" to the save dialog and *poof*.

I guess I don't know many people--whether 6, 65, or 105--who would
accidentally press a key in a window which they don't understand,
then select Yes when Notepad asks them if they want to save the
changes made to the file which they don't understand.

Like I said, it seems plausible to me.

And like *I* said, it seems possible to me...but not plausible.

 

[Munger Joe]

Am I missing something? How could this be risky?

You _are_ missing something. The sarcasm. But, its probably just a
matter time 'till a Notepad exploit surfaces.

Joe

 

[Alan]

To me, it seems possible, but not plausible. What happens in most
cases with popups? They close the windows. Why would a popup from
notepad be any different?

Because it's somehow associated with IE - this makes it a serious
security flaw, rather than business as usual. Just look at the highly
intellectual tagline of the poster for further insight.

I guess I don't know many people--whether 6, 65, or 105--who would
accidentally press a key in a window which they don't understand,
then select Yes when Notepad asks them if they want to save the
changes made to the file which they don't understand.

Looks to me like the biggest security risk in this case is the inept
user. Imagine the damage they could do with "a key press here or there"
like WinKey +E, then numerous Del hits with the same clueless "yes"
responses and *poof*. And all this without even opening IE.

And like *I* said, it seems possible to me...but not plausible.

Even the extremes of the implausible become not only possible, but
DefCon4 level security threats in the minds of a MS-phobe.

 

[Alan]

Very basic for this, even used your replacement text

Name = "View Source"
Active = TRUE
Limit = 2048
Match = "view-source:"
Replace = "noview-source:"

The one I was thinking of would only alter the text within the <> tags:

Matching: <\1viewsource\2>
Replace: <\1noviewsource\2>

I *think* this will work as planned, and not affect the body text.

 

[Alan]

The one I was thinking of would only alter the text within the <>
tags:

Matching: <\1viewsource\2>
Replace: <\1noviewsource\2>

Sorry, they should read:
Matching: <\1view-source\2>
Replace: <\1noview-source\2>