Re: ALERT: Remote Retrieval Of Authentication Data From Internet Explorer

[Mitja Kolsek <mitja.kolsek () ACROS SI>]

> At the core of this vulnerability is a "feature" I recall reporting to
> bugtraq over a year ago.
>
> See:
>  http://www.securityfocus.com/archive/1/24766
>
> At that time the bugtraq community seemed to deny that there really was a
> vulnerability, though I believe someone from Microsoft mentioned they would
> suggest the IE team look into it.

Indeed, at the time of writing our report we weren't aware (at least not
consciously) of Justin's reporting this issue to Bugtraq, although we must have
read it when he did. Having examined the thread on securityfocus I've found Paul
Leach (Microsoft) saying he'd forward the issue to IE security team. Probably
they didn't find the issue critical enough, possibly for lack of a convincing
exploit.
Well, even if the vulnerability we found was not in the domain of sending auth
data explicitly to another port but rather using another protocol, the latter
implies the former so the underlying problem is probably the same - the one
Justin reported.

> It's nice to see someone come up with a fairly convincing exploit.

What we all should learn from this is that our perception of some vulnerability
is actually based on our visualization of its exploitation. If we can't think of
a convincing exploit scenario, we easily dismiss the vulnerability as "Bah, not
that serious". When someone thinks of a fairly convincing exploit, the
vulnerability doesn't change, but our perception of it does.

When we're looking for security problems in systems or products, we always
scrutinize "strange features" (even if seemingly benign), because a potential
vulnerability could be just a scenario away. It might be wise for vendors to use
this approach in development too.

Mitja Kolsek

ACROS, d.o.o.
Stantetova 4, SI - 2000 Maribor, Slovenia
web: http://www.acros.si
phone: +386 41 720 908
e-mail: mitja.kolsek () acros si