Alert: IE 4.0 Security Zone compromise

[aleph1 () DFW NET (Aleph One)]

New Internet Explorer vulnerability. As opposed to what Russ states below
there is a new risk created by this vulnerability. The default setting for
authentication in IE for the Medium security setting is to automatically
logon to machines in the Intranet zone when the web server requests user
authentication without prompting the user. Nice way for someone to go
finishing for passwords by posting some message with an embedded URL in a
newsgroup or mass emailing some corporation.

Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

---------- Forwarded message ----------
Date: Mon, 19 Oct 1998 21:06:16 -0400
From: Russ <Russ.Cooper () RC ON CA>
To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
Subject: Alert: IE 4.0 Security Zone compromise

Sune Hansen, Webmaster of <http://www.WorldWideWait.com>, discovered a
security problem which affects Trust Zones within Internet Explorer
4.0+.

Basically, if you provide IE with <http://3475932041>, you'll arrive at
Microsoft's web site. However, it will be listed, and treated, as part
of your Local Intranet Zone when in fact it should be part of any other
zone.

For anyone who has made no modifications to their zones (i.e. using the
defaults supplied with IE), there is no difference since both Local
Intranet Zone and Internet Zone are set to "Medium" security.

If, however, modifications have been made to the zone security
configuration such that, for example, the Internet Zone is more
restrictive than the Local Intranet Zone, then the fact such 32-bit URLs
end up being seen by IE as trusted can create a problem.

IE appears to assume that anything it sees without a period in the URL
should be treated as part of the Local Intranet Zone. Winsock then takes
the address and properly translates it to a reachable IP address (you
could just as easily use PING or some other utility with such an
address).

Sune tested this on Windows '98, and I've tested it on NT 4.0 SP4 RC2
with IE 4.0 (SP1;2735 - 4.72.3110.8), and both caused the same problem.

Essentially the problem exists within IE, and not NT, but since Sune is
franticly seeking out media outlets to report the story, I figured it
was worth a note here. Microsoft did receive a brief message from Sune
on Sunday morning, although they were made more aware of the issues by
the media trying to verify Sune's claims.

I'm not trying to downplay the problem. Anyone who is using Trust Zones
should understand that they, alone, will not prevent a site from placing
a URL in the above fashion and causing a site to be viewed as a Local
Intranet Zone site. Proxies, and Firewalls, however, are not affected by
this and will properly enforce restrictions if so configured. The
problem appears to reside entirely within the mechanism that IE uses to
determine if something is part of the Local Intranet Zone when no
servers are configured in that zone.

My conversations with Microsoft indicate we will hear more when they
have more fully investigated the ramifications of the issue.

Cheers,
Russ