Experts corroborate Windows, IE security hole
Security experts confirm that certain configurations of Microsoft's Windows operating system and Internet Explorer Web browser are open to a potentially dangerous vulnerability.
As previously reported by CNET News.com, security consultant Georgi Guninski yesterday published a report on the vulnerability, which is triggered when folders accessed through Microsoft Networking are viewed as Web pages. The problem occurs in Windows 98 and is the default setting in Windows 2000, he wrote.
Security experts at Security Focus said they have duplicated the problem for computers using Windows 95/98 and Internet Explorer 5.x.
"I would rate this problem a seven" on a scale of 10, said Elias Levy, an analyst with Security Focus and moderator of the Bugtraq security mailing list. He emphasized that corporate users protected by a firewall are not vulnerable--a point also made by Guninski--but said that many home users could face a potential threat.
Microsoft did not immediately return calls seeking comment.
Levy said the problem arises because of confusion about which folders on the network are to be treated as trusted and untrusted under Microsoft security settings. In essence, all folders--designated as Folder.htt files--are treated as trusted, allowing arbitrary code to be executed when viewed as a Web page.
"It seems that at least in Windows 2000, Microsoft attempted to do the right thing," Levy wrote in a posting to Bugtraq today. "The user browsing the malicious folder is asked whether they wish to execute the script within the Folder.htt file, but regardless of the answer the script is executed."
In an interview yesterday, Scott Culp, a program manager with Microsoft's Security Response Center, said the company was notified of the alleged vulnerabilities Sunday evening and is investigating them. He said it was too early to fully assess the merits of the report but added that some claims appear to be off the mark.
First, he said that the vulnerability as described by Guninski does not reproduce on some software configurations involving IE 5.x, although he declined to identify them specifically, saying to do so was premature. He also questioned Guninski's charge that the alleged problems stem from ActiveX, Microsoft's method of letting a Web browser interact with other, more powerful desktop applications.
Guninski has identified a growing string of vulnerabilities in Microsoft software. Like this week's reported vulnerability, some of those exploits have been linked to ActiveX. That technology has been the target of security concerns for some time.
Culp added that Microsoft has shown a strong commitment to security, soliciting bug reports from the public and responding in a timely fashion. He said the Security Response Center thoroughly investigates all bug reports. It has received about 5,000 bug notifications. Of those, only 400 required full investigations, resulting in the 55 security patches that have been issued to date.
He cited Microsoft's security upgrade to Outlook Express in the wake of the "I Love You" virus attack as an example of the company's strong stance on security.
Culp also criticized Guninski for going public with his report just 12 hours after notifying Microsoft, giving the company insufficient time to investigate the vulnerabilities and respond.
"There is an industry consensus about how to handle security vulnerabilities that is very different than the way this one was reported," he said.