IE5 UNIX sp00ky p0st

[NHC Research <ipfreely () NEWHACKCITY NET>]

"Would you like some... HOT COCOA?!" -- Monster Chiller Horror Theater

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Howdy,

First, let me say that we have decided to not post an advisory on this
subject since we did not discover anything new. Instead, we decided to
post an informal message detailing the findings from our testing.

Second, let me thank George Guninski and the other people who not only
find vulnerabilities, but give great documentation and example code to
work from. We could not have gotten any meaningful testing done without
the contributions these people have made to the community.

Last, we want to say that IE5 UNIX is a great piece of software, in
relative comparison to the other web browsers availible on UNIX
platforms. I highly suggest people check out IE5 UNIX once Microsoft
addresses these issues. We sincerely hope this is ported to Linux soon.

Now, onto the Why/How.

Why? I was talking to my friend Clint, who said he only uses IE5 on
Solaris because he is incredibly fed up with Netscape. This got me
thinking: there have been a lot of patches against IE 5.0 on Win32,
along with a couple of minor releases (IE 5.01 and IE 5.01 SP1):
where are the updates for the UNIX version? The answer: There are
no updates available that we could find. Communications to Microsoft
provided no answers, either.

How? First, I sent a message to secure@Microsoft asking two questions:
1) Are the UNIX codebases completely divergent, making them potentially
susceptible to attacks the win32 version is not, and 2) If the codebases
aren't completely divergent, then the UNIX versions of IE5 are most
likely vulnerable to the same problems that have been reported about
IE4/5 in the past few years. If that's true, why aren't fixes being
supplied to UNIX users of IE?

That e-mail was sent on July 13th.  I recieved an immediate response
that said my message had been forwarded to the IE team. After 10 days
of no reply, I resent the message, requesting a reply. There was none.
So, after finally getting some time to test we would like to report a
"Lucky 7" collection of vulnerabilities that IE5 UNIX is vulnerable to.
We feel this is enough to demonstrate our point, and we feel that
spending any more time doing this would warrant being paid by Microsoft
for QA work.

Listed here are the BugTraq IDs, the original author, the "title" of the
vulnerability, and the results of testing the vulnerability against IE5
UNIX. Note that in vulnerabilities where a file "c:\test.txt" was used,
we replaced it with "/tmp/test.txt". The substitution also worked with
"/etc/passwd".

BugTraq ID: 1394
Original Author: http-equiv () excite com
Title: Microsoft Internet Explorer and Outlook/Outlook Express Remote File
Write Vulnerability
Result: Locks up all running instances of IE, must be manually killed.

BugTraq ID: 1311
Original Author: Georgi Guninski <joro () nat bg>
Title: Microsoft IE NavigateComplete2 Cross Frame Access Vulnerability
Result: same result as Win32.

BugTraq ID: 1121
Original Author: Georgi Guninski <joro () nat bg>
Title: MS IE 5.01 JSObject Cross-Frame Vulnerability
Result: same result as Win32.

BugTraq ID: 887
Original Author: Georgi Guninski <joro () nat bg>
Title: Microsoft IE external.NavigateAndFind() Cross-Frame Vulnerability
Result: same result as Win32.

BugTraq ID: 815
Original Author: Georgi Guninski <joro () nat bg>
Title: Microsoft IE5 XML HTTP Redirect Vulnerability
Result: Causes "Internal Error" (crash)

BugTraq ID: 722
Original Author: Georgi Guninski <joro () nat bg>
Title: Microsoft IE5 Javascript URL Redirection Vulnerability
Result: same result as Win32.

BugTraq ID: 696
Original Author: Georgi Guninski <joro () nat bg>
Title: Microsoft IE5 IFRAME Vulnerability
Result: same result as Win32.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE54QA7M+WP9Eauj+URAih5AJ4ocmOy8SGXcyTXafy9eDMD/MZkjQCguncv
G3e7hDlhAl4G78hQ9iuLQwY=
=PF1R
-----END PGP SIGNATURE-----