back to article IE Windows vuln coughs up local files

If you use any version of Internet Explorer to surf Twitter or other Web 2.0 sites, Jorge Luis Alvarez Medina can probably read the entire contents of your primary hard drive. The security consultant at Core Security said his attack works by clicking on a single link that exploits a chain of weaknesses in IE and Windows. Once …


This topic is closed for new posts.
  1. RW

    It's the Microsoft w-a-a-a-a-a-y!

    Create features, functions, and facilities that are inherently insecure! Yee haw!

    ActiveX was the first significant step down this long and slippery slope. There's an O'Reilly book on HTML from about the time of ActiveX's debut, when Netscape was still the godzilla of browsers. In it, the author specifically warns against using ActiveX on a webpage because of the security risk. Did Microsoft act responsibly? No, of course not.

    From another perspective, what MS has done over the years is to tightly integrate the OS and all applications (at least those from MS). Doing this has the effect of making those apps a part of the OS, increasing the size of the OS, and hence increasing the likelihood of there being security holes.

    This is nothing new. Windows and, iirc, DOS have had undocumented trap doors in them for many years, so Excel could do its own memory allocation and thereby bypass the inefficient scheme in the OS.

    The thing I wonder is this: why can a small security firm figure out these holes, yet MS, with its hordes of employees, can't? Can it possibly be that MS doesn't hire the best and the brightest, or is it that it simply doesn't bother to look at the security implications of various bells and whistles?

    Don't tell me it's so!

    1. konstructa

      They Fix It

      The problem with exploits is that EVERYONE has them it's just a matter of finding them. People are going to look for holes in software that is heavily used. It's a problem all software companies have not just Microsoft.

      1. Anonymous Coward

        They fix it?

        Did you not just read the article? Did it not say that these explains have be reported multiple times to Microsoft, with little effect?

        They fix it?.. Kind of like they fixed the Aurora IE bug when it was reported, 3+ months before it was used to attack Google and +30 others?

        I hate to say this, because Microsoft does have it moments, but the company is, well, a company. It's all about the bottom line. If it ain't broken, don't fix it; if it is broken and only a handful of security experts know about it, why bother fixing it?.. It's not until it starts causing noticeable damage that Microsoft adds it to the list of things to fix when the next 6 month update batch rolls around.

    2. Anonymous Coward
      Anonymous Coward

      ActiveX, it's a disaster!

      Except YouTube wouldn't work without it...

      1. Anonymous Coward

        RE:ActiveX, it's a disaster!

        YouTube works just fine without it.

        Millions of Linux and Mac users could tell you that.

      2. g e


        So where in Ubuntu Firefox is ActiveX ?

        1. Keith Oldham

          Re: Eh?

          Why on earth do you think you need ActiveX to use youtube ?

      3. markp 1
        Black Helicopters

        If you're having to run ActiveX stuff to watch youtube

        then you've probably already caught some kind of AX-abusing virus. Sorry.

        I can watch YT just fine using Firefox WITH NoScript, Adblock etc all turned on to fairly high settings. Can tell you now that all it uses is a minor bit of javascript, and Adobe flash for the main player - though they are of course dabbling in open HTML5 video-embedding standards now.

        It's quite an event these days when I come across a page that demands I run it in IE because it uses activeX for something and I then have to click that scary yellow bar to authorise it. There's usually a slightly less flashy (needlessly so as the other standards can more or less cover the necessary bases, it just means writing new code) workaround offered on 99% of these sites though, which makes you question how necessary it is. Or why a web app needs such intimate access with your hard disk and other systems (Photosynth being an in-house case in point btw).

        It's a bit of a mystery how it ever got as widespread as it is given it was insecure, slow and viewed with great suspicion from day one. Should have died in the water...

    3. Indian-Art

      Good thing there are alternatives.

      I feel safe with Firefox on Ubuntu.

      Here is something interesting:

      "Firefox 3.6 has been downloaded…


      times since January 21, 2010" -

  2. devtty

    Won't work on non-administrative account

    This thing depends on hidden share C$ available to work, so users with limited or non-administrative accounts shouldn't be affected.

    1. Anonymous Coward
      Anonymous Coward

      That's what?

      Half a percent of the user base or so?

      1. devtty

        common on corporate PCs

        A large portion of corporate PCs will give regular users non-admin accounts.

        1. Anonymous Coward
          Thumb Down

          corporate v. personal

          you try securing a corporate laptop, and then deal with the wailing when the user at a faraway conference can't do their presentation/collect their emal etc. I set the up with two accounts, make the non-admin account the default etc, but looking at the junk that's installed when they next come in for a service, I suspect that admin account is used far too often.

    2. Mark 65


      Unless, of course, that there's a feature enabling escalation of privileges.

      1. AndrueC Silver badge

        You can't cover every base

        ..if the computer operator has been given authority to allow administrative actions and is then stupid enough to do so what can you do?

        The same principal is true of xIX. Persuade someone to use 'su' then persuade them to launch a dangerous application. If I remember correctly Ubuntu has pretty much the equivalent of UAC so is just as vulnerable.

    3. AndrueC Silver badge

      Just like xIX then

      Only a pillock runs as 'root' on an xIX box and you have to be a bit ignorant to run as an administrtor under Windows as well.

      People still on XP or earlier have a good excuse because running as a limited user on those system can be a bit of a pain (although fast user switching is a reasonable workaround most of the time in my experience). But people running Vista or Win7 have no excuse. Oh - unless they've been advised by some nerdy-know-it-all to disable UAC because it's annoying.

    4. Anonymous Coward
      Gates Horns

      Everyone uses administrative accounts

      ...because MS made it a complete pain in the arse not to.

      So it affects most people...

      1. markp 1

        not just them, mind

        Apple aren't too good at it either, I've just had to weedle the admin password out of someone for theirs so I can actually use the flippin internet whlst borrowing it, because there's a couple of vital settings that are blanked out. And I'll probably just use that from then on so I don't have to go through the whole logging out and back in twice thing, which is often not very fast. Returning to the point, it can be achingly slow on XP, for sure. Not every machine has fast switching on; it seems to be missing from most that actually use the admin / serf :) concept. Maybe it's more of a Home feature than Pro...

        I'm loathe to admit it but this is one of the things that linux actually gets "right". Account switching and temporary root login is fast and easy, so I've no problems - when *having* to use it - with running as a lower-authorisation user.

    5. OffBeatMammal

      so is this a problem on FF or Chrome as well?

      if this is underlying "stuff" does the problem also exist inother browsers or IM clients etc (think of all the Twitter clients people happily install...)

    6. Grease Monkey Silver badge


      By default windows is acting as an SMB server right out of the box and there's just no need for it. With the server service disabled or the default shares switched off this vulberability would not work even if the user did have administrative priveleges.

      Why do you need your desktop machine running the server service? In most cases you don't unless you are sharing files or printers.

      Why do you need the hidden shares that most users don't even know are there? In the overwhelming majority of cases you don't.

      Round here you need a good business case to activate the server service on any windows machine that isn't actually a server.

      It seems that MS still haven't learned the meaning of the phrase "secure by default". Yes they spout it a lot, but until they realise that every PC doesn't need to be a server and every PC doesn't need it's drives sharing by default then it's evident that their words are empty. Remember conficker? Part of the standard advice on stopping the spread of that little nasty was to disable the server service on every machine. When are they going to get it?

      The usual MS excise for this sort of crap is that the featur's there to make the users' lives easier. This is crap. It's there to make the coders' lives easier. The server service should only be started when a user tries to enable something that requires the server service to run. And when the user disables the last thing that requires the server service then the service should be stopped. And when you do something that will force the server service to start user confirmation should be asked for along with a dire warning of the potential consequences.

      It is unavoidable that any large code base will contain vulnerabilities and for that reason vendors should learn that the fewer features that are enabled the fewer vulnerabilities will be exploitable on a given installation. And if the vulnerability is an exception rather than the rule the black hats won't bother trying to exploit it.

    7. markp 1

      um, about that...

      On the active directory setup I'm posting from, you can still get at the C$ share regardless of who's logged in. It's very handy for, e.g. remotely pushing driver updates to a machine whilst the person logging the problem is still logged on, without needing to start up remote desktop or anything like that. Just fire it at the appropriate folder under C$.

      Though of course you still need an admin account of your own, but various of us users have one of them as our main accounts for the convenience of providing support. Which I guess means that if I was sloppy enough to use IE and get caught by one of these activeX hacks, they could have access to my whole network.

      For all the good it'll do them though. Even I can't get to the truly sensitive bits of the servers, and all the workstations have crap-all in the C:\ drives as they're installed to be network drive-accessing black boxes.

      Why do we still allow people to use that browser anyway, when it's illegal to drive without a seatbelt?

  3. gollux

    Total Awesomes...

    Get your Windows XP Espionage Enabled(tm) workstation here!

    Helping share with the world since 2003!

  4. Anonymous Coward
    Anonymous Coward

    Marketing first, product last

    RW, I think the problems comes from working in a bubble and paying progressively less and less attention to the world around until it forces itself on the enterprise. The more complete monopoly one has and the more emphasis one puts on profit, the less attention is payed to other things and the easier it is to fall into that trap. Likely, insiders who nagged about such issues were probably ostracized.

  5. Anonymous Coward
    Gates Halo


    I'm using IE8 in Protected mode in Windows 7 Ultimate. I have absolutely nothing to worry about. Only people who are using the fugly XP are in trouble.

    1. Atli

      Nothing to worry about...

      Correction: You have nothing -you know about- to worry about.

    2. Anonymous Coward
      Gates Horns

      yawn.. o rly!

      only time will tell.. there is not much public info so far is there, to be honest if you can get people to click a link in the first place your half way there, theres many many ways to get inside the box if people are clicking away!

      mass client side with fast-track anyone?

    3. Lee Dowling Silver badge


      Using Windows Whatever or IE Whatever in Whatever mode doesn't seem to be a big problem - the first line of the story says "If you use *any* version of Internet Explorer" and doesn't mention XP or Vista or 7 specifically. And the only links are to *similar* vulnerabilities discovered in the past, not to the actual exploit, which hasn't been released yet.

      But please do go on believing that running any particular version of anything is "secure". Fact is, IE 8 is just as vulnerable as IE 7, 6, 5, 4, 3, 2, 1 - it's just that many people haven't *seen* the holes yet, not that they don't exist. And the same for Windows 7. Always just look at any security mailing list about six months after any OS is released (no point before that, because people don't like to reveal holes before people even *have* the OS to exploit) and the OS will appear there just the same as any other. Maybe a little less frequently, maybe a little more, but it'll be there.

      What matters in my opinion is the response to the holes - and MS only ever seems to "be investigating" them and rarely offers a timely patch. Most MS exploits tend to be released to the public because the security researchers got bored of waiting for a patch or even comment from MS. That's not reassuring to me.

    4. Mike Bell


      If you think you have nothing to worry about, you have *everything* to worry about.

    5. Magnus_Pym

      Hi. Microsoft here...

      ... You have nothing to fear, you can trust us. Here, have a nice long drink of this Cool Aid.

    6. markp 1


      hahahahahah.... ahahahah.... haaaaahahahah *breath* aaaaaaaaaaaaaahahahahahah (etc)

  6. Big-nosed Pengie


    How surprising!

  7. James 47


    programs using their own heap allocation algorithms isn't new or limited to windows. all software ships with bugs, both known ones and unknown ones. in a private company, probably unlike linux, developers work to deadlines. the product ships on that date or the manager loses his bonus. which is more important, your manager's bonus or product quality? answers on a postcard

  8. Lars Silver badge

    The obvious solution

    is to skip IE.

  9. Danny 14

    it would all go away...

    Oh sudo where art thou! All is forgiven!

  10. Chris 193

    @AC - Yawn

    MS demonstrate time and time again they don't do security and because you're using IE8 you think you're safe? How long do you think it'll be before it's discovered that the oh-so-safe browser you're using ain't so safe after all? Just because MS say it's the 'safest yet' means f-all, we've been hearing that for years and still the holes keep appearing. Your smug reasoning is as flawed as their browser.

    1. g e

      Don't forget...

      ... the multimedia performance which will dazzle you, either ;o)

  11. Ross 7

    Is it 1997 again?!

    Sounds like it's dropping a VBscript into the cache, then using some jiggery pokery to run it from there in the local zone. Pretty sure that used to be possible (and was exploited) many moons ago. Still, good work to get it working again on more current OSes. In an educational sense - not as in the "great, another exploit to keep away from" sense.

    As for SMB - will someone please just put it out of its misery? It's got more crap sticky taped onto it than....

  12. Kristian B

    Stupid IE Users Deserve Everything They Get

    People stupid enough to use Internet Explorer deserve everything they get!

    It doesn't matter what we do, it's impossible to protect such people from themselves!

    Anyone caught using Internet Explorer should have their computer confiscated and replaced with a big box of crayons!

    And any IT department allowing IE use in their business needs to get a pin and pop the Microsoft bubble they live in!

    1. markp 1

      problem is

      it does seem to be a lot easier and more reliable to install on a domain network, given as it's basically a part of windows itself.

      Installing the copy of Firefox I'm using on here did cause some headaches and it only gets worse if I try to use it to any serious extent off of the one workstation I put it on. Woe betide if I let it install an auto update on a different one again..... bye bye extensions, history and bookmarks...

      IE8 just breezed on into the computer's pants as if it was made of champagne, chocolate and honey-dipped e-pheremones.

  13. Tom Chiverton 1 Silver badge

    SMB ?

    Wont CIFS be egress filtered, accidentally or deliberately, by the users router, in the vast majority of cases ?

  14. Ed L

    "C Drive"?

    When you talk about the C drive, do you actually mean the C drive?

    Not all Windows installations are located on, or even are fitted with a C drive.

    No, I see that you do not in fact mean the C drive.

    The exploit can gain access to any Windows share. This would make any and all local partitions vulnerable where administrative shares are created (C$, D$, etc).

    It is possible to use Group Policy to disable their creation, which may be implemented in some environments.

    I think you should have been clearer on this point for your readers. The information you offer could well be misleading.

  15. Adrian Midgley 1

    SMB? But Samba doesn't do this, does it?

    I expect Microsoft would love to make changes to SMB networking, however I don't see any mention of Samba (SMB networking for Unix/Linux/MacOS/X etc etc) showing this hole.

    So perhaps the solution is better found in Internet Explorer, or in reversing the camouflage and conflation of IE with the operating system.

  16. Anonymous Coward

    machine's C drive

    What if your machine doesn't have a C drive. Does it still work. Is there a link to a demo ?

    1. Anonymous Coward
      Anonymous Coward

      It doesn't matter.

      The drive/partition on which you installed Windows is traditionally called the "C-drive", regardless of which letter Windows has actually assigned to it. It's more of an expression than an actual reference to your file-system. (Most of the time, anyways)

      So yes - assuming the designers of this hack aren't M$ empl... err.. complete idiots - it should be smart enough to just sniff out the actual letter and use that one instead.

  17. Anonymous Coward
    Anonymous Coward

    @Kristian B

    1) Users often dont have a choice - particularly corporate users.

    2) Users dont care, they want and rightfully expect their machines to work and since they download all the updates and have paid Mcaffee this year then they are safe. They (users) often have lives outside of their computers, use them for limited and necessary tasks but really would be as happy without them.

    Unfortunately your view is reflected by far too many people in IT. Get with the modern times and start realizing that IT is a service to a company, it does not earn fees, so stop being so arrogant.

    I recently worked for a large broadcast company who had no specific training for users in basic computing. It was expected that people should know how to use a computer which means they rely on mostly self taught use of internet etc and at home no-one told them not to use IE.

This topic is closed for new posts.

Other stories you might like