Forgot your password?
typodupeerror
Internet Explorer Security Microsoft Windows IT

IE Flaw Gives Hackers Access To User Files 259

Posted by timothy
from the open-file-my-documents dept.
snydeq writes "Microsoft warned that a flaw in IE gives attackers access to files stored on a PC under certain conditions. 'Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location,' Microsoft said in a security advisory. The vulnerability requires that an attacker knows the name of the file they want to access, according to the company."
This discussion has been archived. No new comments can be posted.

IE Flaw Gives Hackers Access To User Files

Comments Filter:
  • by hey! (33014) on Thursday February 04, 2010 @03:47PM (#31025842) Homepage Journal

    Had Microsoft not needed something to drive a stake through Netscape's heart, it wouldn't have needed to concoct it's own Frankenstein's monster of confused and misbegotten priorities.

    • by Anonymous Coward

      This is just fucking stupid. WHY DO PEOPLE AND BUSINESSES STILL USE IE?

      We KNOW it's full of holes. Not just small ones, but literally, gaping goatse-sized holes. This is a perfect example, to go along with the hundreds of other problems we know of.

      There are so many alternatives today! We are living in a time of plenty when it comes to browsers. I mean, we have Opera that runs just about everywhere. We have Firefox if you want extensibility. If you prefer the feel of the old Netscape Communicator suite, ther

      • Re: (Score:3, Interesting)

        I read about vulns in Firefox pretty often too. Granted, IE's tend to be stupider and MS's policy of ignoring vulns until they're shoved in their faces with an in-the-wild exploit (and then only patching once a month) is pretty awful, but it's not like other browsers are a magic bullet.

        That said, i wouldn't be caught dead using IE, nor let friends or family do it.

        • by gstoddart (321705)

          That said, i wouldn't be caught dead using IE, nor let friends or family do it.

          I can't even begin to tell you the number of sites required by my previous employer that required IE, and there's always a couple here and there that want ActiveX or what have you.

          I do 99% of my browsing in a Firefox with noscript installed and a fairly locked down policy. I have found I pretty much need to keep an IE laying about for those really stubborn sites which require it, and which I'm willing to use.

          Generally, I agree w

      • Re: (Score:2, Insightful)

        by LikwidCirkel (1542097)
        If you give people a free car with houses, that "works" enough to get to A to B, then how many people will make the effort to get a different free car if they're not aware that there is anything wrong with the first one?
      • Only one reason as far as I'm concerned - Netflix instant viewing. Won't run in FF at all (as per their policy as well - dunno if there's a hack that can do this). So, I have IE for Netflix and FF for everything else. Actually not a bad deal as I've set IE to open Netflix logged in - that way it works just like a TV ;-) with the browsing kept to the TV guide minimum.

        In fact, any ideas on getting around this would be appreciated.
  • This is bad. (Score:5, Insightful)

    by Buelldozer (713671) <cliff@gind u l i s . n et> on Thursday February 04, 2010 @03:48PM (#31025860)

    When you go to my website I know what the cookie name is and I know the default file system location for that cookie. This one seems pretty bad.

    • Pesky NTOSKRNL.EXE (Score:2, Interesting)

      by fibrewire (1132953)

      Nobody knows where i keep THIS file.

    • Re:This is bad. (Score:4, Informative)

      by girlintraining (1395911) on Thursday February 04, 2010 @05:49PM (#31027512)

      When you go to my website I know what the cookie name is and I know the default file system location for that cookie. This one seems pretty bad.

      You seem to forget that Windows XP, Vista, and Windows 7 all have file indexing enabled by default. By accessing those hidden .db files, you can get the complete list of filenames in each directory, including the names of the subdirectories in some cases.

  • I wonder... (Score:5, Insightful)

    by Ismene (680764) on Thursday February 04, 2010 @03:49PM (#31025868)
    I wonder how many people have a "passwords.txt" file in their Documents. ;-)
    • by byrdfl3w (1193387) on Thursday February 04, 2010 @04:01PM (#31026010) Journal
      Whew! Thanks! I deleted all my password.txt files before some nasty hacker got to me.
      Now I gotta tell my friends about this! Hold on while I log..

      Oh crap.
    • This is why I keep my password file encrypted. Any I don't use that standard '.txt' extension either. Mine is 'passwords.rot13'... no one would ever guess that!

  • Flawed (Score:5, Insightful)

    by mcgrew (92797) * on Thursday February 04, 2010 @03:50PM (#31025874) Homepage Journal

    an attacker may be able to access files with an already known filename and location

    One more reason not to keep your files in "My Documents". That part is easily guessed; "2009 Income Tax Returns" would be easy to guess as well.

    "Protected Mode prevents exploitation of this vulnerability and is running by default for versions of Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008," it said.

    Does XP have a protected mode? That's the version of Windows most people use IINM. Is this a ploy to get people to upgrade from XP?

    Microsoft hasn't seen any attacks that exploit the flaw and has yet to decide whether to repair the flaw through its monthly security patch release cycle or an urgent, out-of-cycle update.

    Has yet to decide whether to repair it? Hmmm... Ok, they're trying to decide when to. How about doing what every other browser company does and give us the patch NOW?

    • Re:Flawed (Score:4, Insightful)

      by radish (98371) on Thursday February 04, 2010 @04:02PM (#31026032) Homepage

      Is this a ploy to get people to upgrade from XP?

      I'd say it's (yet another) reason to stop using a 9 year old OS. How many of the major linux distros still support versions that old? How many people would recommend continuing to run a version that old?

      • I have to agree. I'm open for 4-5 years of long term support for server OS's and very stable versions, but 9 years is just ridiculous.. well, would be normally, but there was not much option after XP for a long while and then came Vista.. go figure.

      • by mcgrew (92797) *

        How many of the major linux distros still support versions that old?

        We don't have to as it's free, but there would be a lot more if Linux cost $500 ($100 for a "home version" upgrade) like Windows does. Lots of people don't even pay $500 for their computer.

      • by ichthus (72442)

        How many of the major linux distros still support versions that old?

        How many of the major Linux distros' later releases suffer from a performance downgrade?

      • First of all, it took the company who made the OS eight years to come up with a suitable replacement (or, at least six, if you want to count the relatively usable W2K8 server as a replacement for a desktop system), so I only look at the OS as two years out-of-date at most.

        In addition, Win7 requires more processing power than XP to gain reasonable advantage over XP, requires the user to learn new UI and administrative skills, and often requires replacement of software and hardware for which no Win7 versions

      • Re:Flawed (Score:4, Interesting)

        by drinkypoo (153816) <martin.espinoza@gmail.com> on Thursday February 04, 2010 @06:12PM (#31027768) Homepage Journal

        The difference is that a lot of software which works on Windows XP is broken on Windows 7, including several games that I tried, whereas for the various Loki games that don't work there's Loki_Compat, and for most everything else you have source and can recompile. There's still ample reason to use Windows XP, because for many tasks it is superior to modern Windows. Of course, there are limited cases where this is true for Linux as well, such as when you desire to run OpenMOSIX which AFAIK last worked on 2.4 series kernels.

    • I can see this being a big problem for business users too.

      We issue all files to external parties as pdfs/dwfs so they're basically read only, but there's a tracker reference for internal use which is on this, and I've seen this a lot before too, so I imagine that it could expose something that is supposed to be locked away for contractual reasons to being accessed, modified and distributed.

      We also use XP, some essential software can't handle 64 bit xp, nevermind Win 7, so we're stuck here for a while at lea

    • by Dracos (107777)

      Well, what blackhat could pass up easy access to anything in C:\WINNT\system32, or the paging file, or any other critical file, from the web?

    • Re: (Score:2, Informative)

      by Anonymous Coward

      > Has yet to decide whether to repair it?

      No, has yet to decide whether to repair it now or wait until Patch Tuesday.

      There are plenty of legitimate reasons to criticise Microsoft (like leaving things unpatched until Patch Tuesday) but misinterpreting their statements doesn't help anybody.

    • by Z34107 (925136)

      You might not even have to guess the tax-returns folder. I wonder if you could iterate through all possible files/paths inside My Documents and brute-force a listing.

      • by Carnildo (712617)

        I wonder if you could iterate through all possible files/paths inside My Documents and brute-force a listing.

        It's possible but not practical. A decade ago I did this as part of a proof-of-concept virus; iterating through all possible 8.3 filenames would have taken just under a century.

        • It's possible but not practical. A decade ago I did this as part of a proof-of-concept virus; iterating through all possible 8.3 filenames would have taken just under a century.

          I know the longer filename support in Windows would take longer to brute force, but wouldn't that also make a dictionary attack more feasible since fewer constraints are placed on the user's naming of files?

    • by commodoresloat (172735) * on Thursday February 04, 2010 @04:38PM (#31026580)

      That part is easily guessed; "2009 Income Tax Returns" would be easy to guess as well.

      Oh shit ... hackers can find out how broke I really am!!

    • by grcumb (781340)

      an attacker may be able to access files with an already known filename and location

      One more reason not to keep your files in "My Documents". That part is easily guessed; "2009 Income Tax Returns" would be easy to guess as well.

      I'd be more concerned about the accessibility of files like Normal.dot - the default MS Word template. Stick an autoexec macro in there, and you'll learn quite a bit about the system.

    • Protected Mode is the "sandbox" feature present in IE7 and IE8. It uses UAC that's in both Vista and 7 to run in an even more limited fashion, but not in XP. If you've got UAC disabled, you're not running Protected Mode and you're vulnerable. There are other [mydigitallife.info] ways which Protected Mode can be disabled.

      It's best to check out the blog entry on the MSRC [technet.com] and the Knowledge Base article [microsoft.com].

      We now return to your regularly scheduled Microsoft bashing and Linux referrals already in progress.

    • by mlts (1038732) *

      XP does not have a protected mode. The next best thing would be to run a virtual machine utility and browse in that. Then when done browsing, close the VM and have all changes rolled back to the previous snapshot. If you want bookmarks preserved, put that directory on another virtual drive that keeps its state (and doesn't get rolled back like the system.)

      Barring running in a VM, you can create a non-admin user in XP, switch to that for your Web browsing, and only use that user for browsing. Your sensit

    • How about the system doesn't allow the fecking web browser to read your personal files? The purpose of My Documents is to have an easy space to store everything and keep it organized. How is the solution to this ridiculous bug to not utilize such a useful feature?
      • by mcgrew (92797) *

        How about the system doesn't allow the fecking web browser to read your personal files?

        Come on, man, it's Microsoft we're talking about!

    • by jimicus (737525)

      Has yet to decide whether to repair it? Hmmm... Ok, they're trying to decide when to. How about doing what every other browser company does and give us the patch NOW?

      Some of us are old enough to remember before Microsoft implemented Patch Tuesday. The official reason was simple - companies were sick to death of having new patches to test, deploy and roll out several times a week.

      Myself, I take the view that if a company large enough to test, deploy and rollout patches on a managed basis can't institute their own timetable rather than rely on that provided by a third party they have huge problems. But what do I know?

    • by initialE (758110)

      But keeping your shit where your shit ought to be is a key best practice - you can't reasonably expect to change that now. Imagine if programmers were to throw their files all over the system directories and requiring all kinds of administrator privileges to run. Now imagine users needing the same rights just to get to their files.

    • Re:Flawed (Score:4, Informative)

      by cbhacking (979169) <been_out_cruising-slashdot&yahoo,com> on Thursday February 04, 2010 @08:22PM (#31029160) Homepage Journal

      Protected Mode requires a substantial change to the process security model. Basically, until Vista/Server 2008, NT followed what was essentially the *NIX security model, where access permissions of a program were determined by the user/group the program was run by. There are differences in implementation between NT and the various POSIX systems, but that's the general idea. The problem is that when the vast majority of your users run with nearly full access to the system, one misbehaved (vulnerable) program can bring everything crashing down.

      In NT6 (Vista/Server 2008), Microsoft introduced a new concept of process integrity levels, which are a per-process (rather than per-user) level of security. By default, programs run with medium integrity, which means their access permissions are basically what they were before. High integrity processes, such as system processes or anything run with actual Administrator permissions, can access anything but can't be accessed by lower-integrity programs (which helps prevent elevation of privilege from a non-Admin program.

      The relevant datum here is that Internet Explorer runs (by default) with Low integrity, which means it has extremely limited access to the rest of the system. A low-integrity process can't start medium-integrity processes, can't write to the vast majority of the filesystem (there's a special low-integrity folder for things like Temporary Internet Files) or registry, and basically is unable to cause any harm. The trick is, it has these limitations regardless of the permissions of the user who runs the program.

      XP can't do that. If you, as a user, can write to a location, any program you start can too (unless you tell Windows to start it as another user). Therefore, since Protected Mode is just Microsoft's term for "this process runs with low integrity" and XP can't *do* low integrity, no, you don't get Protected Mode on XP, and never will (it would require a substantial change to the kernel security subsystem).

  • by LikwidCirkel (1542097) on Thursday February 04, 2010 @03:51PM (#31025884)
    Hmm.. the most obvious predictable file names are conveniently the most dangerous for someone to have access to.
    • by eln (21727) on Thursday February 04, 2010 @04:00PM (#31025992) Homepage
      The article seems to suggest (although does not explicitly state) that the hacker would be able to read the files, not overwrite them. If that's the case, I don't see why the System32 directory would be that important, unless you keep secret data embedded in your system binaries.
      • Re: (Score:3, Insightful)

        by WillAffleckUW (858324)

        yeah, it's not like there are stored connection strings to databases ... um ...

      • Re: (Score:3, Insightful)

        by Sleepy (4551)

        That's not the case.

        It's not like memory dumps don't ever get dumped there if you had an OS crash, and it's not like memory dumps would ever contain user data like user passwords. There's user data in there. Where does the REGISTRY get saved???

        This is BAD.

  • CVE-2010-0255 (Score:2, Informative)

    by Anonymous Coward
    Core Security Advisory FTW [coresecurity.com]
  • The last time I dealt with "protected mode" on a 80286 [wikipedia.org] CPU when DOS ruled the world. I had an ISA memory card that could page memory above the 1024K limit for applications or as a RAM drive.
    • My first thought when I saw "Protected Mode" was that anyone who is still using an 8088 deserves to get pwned.

    • Re: (Score:3, Informative)

      by Z34107 (925136)

      "Protected mode" is a marketing term meaning IE takes advantage of Vista's new permissions model. It means it's a low-privilege process and has most of its file system access effectively jailed or redirected.

      Long-winded article here [microsoft.com], but I'm guessing the hack doesn't work in "Protected Mode" because the browser itself doesn't have much file system access.

  • by apparently (756613) on Thursday February 04, 2010 @04:05PM (#31026076)
    "The vulnerability requires that an attacker knows the name of the file they want to access, according to the company."

    Good thing no one knows to look for: "%USERPROFILE%\My Documents\Quicken\qdata.qdf"
  • by Jorl17 (1716772)
    Modifying hosts.txt could be one of the biggest issues with this one. And yet, it's just another flaw much like there are hundreds of others in any browser.
    • Re: (Score:3, Informative)

      by natehoy (1608657)

      Actually, the security advisory describes the attack, and while the remote attacker would have access to any file the local user does, it does not appear the file could be altered, just copied or examined. The security bulletin never lays this out in uncertain terms, but the description of the actual process looks like a read-only one.

      Given that Windows usually stores important stuff in c:\Documents and Settings\(username)\blahblah, the remote attacker would have to know (username) before they could get to

      • Actually, this news story [taranfx.com] suggests that you have to have certain HTML/JS files planted in the user's shared folder for the flaw to work. So it's even less dangerous than implied (not that you shouldn't worry about it).
        • Re: (Score:3, Insightful)

          by natehoy (1608657)

          http://www.microsoft.com/technet/security/advisory/980088.mspx [microsoft.com]

          When in doubt, go to the source. Microsoft has a pretty decent write-up on this one. I don't know who taranfx.com is, but the only accurate bits of information in their article are what they cut-and-pasted from the Microsoft site. The rest is, umm, "fanciful". Sorry, I gotta call 'em like I see 'em.

          Oh, one other useful bit from their stie... that everyone should stop using IE. Now.

          I'd also add to only run a browser that has something like No

  • by 140Mandak262Jamuna (970587) on Thursday February 04, 2010 @04:13PM (#31026218) Journal
    There is nothing to see here folks, move on. The bug kicks in only under certain circumstances. The circumstances are apparently running a Windows system with Internet Explorer as the default browser. Come on, how many slashdotters do that?
    • by mcgrew (92797) *

      The circumstances are apparently running a Windows system with Internet Explorer as the default browser. Come on, how many slashdotters do that?

      I'd say close to 100% of the people who work for Microsoft, all of whom I'd guess are on slashdot.

      • by natehoy (1608657)

        Right, but they are all running Windows 7.

        My company runs XP, and provides IE6 by default. So did my last two companies. Not that I use IE for anything but the Intranet, but most people still use it for all their browsing needs.

    • The circumstances are apparently running a Windows system with Internet Explorer as the default browser. Come on, how many slashdotters do that?

      How many slashdotters' parents do that? I'd say a good deal many of them.

      This affects more than just you. Or maybe it does affect you: what's your setup at work like?

  • by electrogeist (1345919) on Thursday February 04, 2010 @04:21PM (#31026330)
    If they grab the windows search index file then they'd have a map to everything else?

    get \ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb (vista)
    or \All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb (xp)

    and http://www.simplecarver.com/tool.php?toolname=Windows Search Index Extractor
  • Hi have tourettes. This manifests in two situations, when ordering at a drive-thru and, oddly, when coming up with a file name. I think I am safe from this attack: whoreShitSlittySlutFuckCrevice.rtf
    • by dtolman (688781)
      Uh oh - I have the exact same filename. Best to change them to some really unguessable (and horrific) file names: MyLittlePonyRules.rtf IHeartStrawberryShortcake.xls MadeleineAlbrightNaked.jpeg
  • by markalot (67322)

    I run IE in Firefox mode, so I think I'm protected. ;)

  • Couldn't you access some kind of index file that would allow you to find everything else? Or are those files too low level for it to be accessed this way?
  • by Jason Pollock (45537) on Thursday February 04, 2010 @04:42PM (#31026648) Homepage

    Because there isn't an easily found, well known file that is a handy index of all of the files on your system:

    \ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb

    http://en.wikipedia.org/wiki/Windows_Search [wikipedia.org]

    • Wouldn’t that file be pretty huge? (No Idea. No Windows here.)
      Also: There is no C:\ProgramData. (At least in XP.) Did you mean $HOME\Application Data, or C:\Programs?
      Or is that a Vista thing?

  • You mean like... (Score:4, Interesting)

    by Sfing_ter (99478) on Thursday February 04, 2010 @04:43PM (#31026658) Homepage Journal

    You mean like...
    C:\users\%username%\AppData\Local\Microsoft\Outlook\outlook.pst?
    hmmm...??? like that?

  • If things keep going like this regarding Microsoft and clever words, pretty soon this will be on Slashdot:

    "Microsoft has announced that it is investigating a vulnerability in IE where an attacker can gain access to customer's computer if they are connected to Internet. But as all versions of Windows do not have internet access by default, most users are not vulnerable"

    .

  • So you turn off something called "Protected Mode" and you're surprised that this may cause problems?

If it smells it's chemistry, if it crawls it's biology, if it doesn't work it's physics.

Working...