Bug hunter spies holes in Windows, IE 5.x

Noted bug hunter Georgi Guninski issues a security alert warning that Microsoft Windows 2000 and later versions of Internet Explorer could be vulnerable to security problems.

Evan Hansen Staff Writer, CNET News.com
Department Editor Evan Hansen runs the Media section at CNET News.com. Before joining CNET he reported on business, technology and the law at American Lawyer Media.
Evan Hansen
3 min read
Noted bug hunter Georgi Guninski issued a security alert today warning that Microsoft Windows 2000 and later versions of Internet Explorer may be vulnerable to security problems planted in local and remote network folders.

In a security advisory, Guninski said he identified a vulnerability

Gartner analyst Neil MacDonald says the addition of many new security technologies does not mean that Windows 2000 is fundamentally a more secure product.

see commentary

triggered when folders accessed through Microsoft Networking are viewed as Web pages, which occurs in Windows 98 and is the default setting in Windows 2000.

He said people who use IE 5.x for Windows 98 can trigger files capable of allowing an unauthorized person to take control of a computer. The exploit occurs if someone merely views a local or remote folder, similar to vulnerabilities identified with visiting Web pages or viewing HTML-based email in Microsoft's Outlook email client.

Guninski also said systems administrators could face a compromise if they view a tampered local network folder under default settings on Windows 2000.

Guninski said the problems do not affect systems that open booby-trapped folders through a security firewall.

Scott Culp, a program manager with Microsoft's Security Response Center, said the company was notified of the alleged vulnerabilities yesterday evening and is investigating them.

He said it is too early to fully assess the merits of the report but added that some claims appear to be off the mark.

First, he said that the vulnerability as described by Guninski does not reproduce on some software configurations involving IE 5.x, although he declined to identify them specifically, saying to do so was premature. He also questioned Guninski's charge that the alleged problems stem from ActiveX, Microsoft's method of letting a Web browser interact with other, more powerful desktop applications.

Guninski has identified a growing string of vulnerabilities in Microsoft software. Like today's reported vulnerability, some of those exploits have been linked to ActiveX. That technology has been the target of security concerns for some time.

In today's report, Guninski said problems could result from operating systems viewing folders as Web pages.

"The way the folder looks when viewed as a Web page is controlled by a file, Folder.htt, located in the folder, which is a special HTML file that may contain Active Scripting and ActiveX Objects," Guninski wrote.

A malicious programmer could use ActiveX to execute an arbitrary file, potentially taking over the victim's computer, he said.

In a second scenario, Guninski wrote that a local administrator could fall prey to a similar attack by viewing a local file under Windows 2000, although he said he has not tested the exploit with IE 5.x installed. Under the default setting, Windows 2000 views folders as Web pages, theoretically leaving open the door to the same exploit.

Microsoft's Culp dismissed that risk.

"The scenario for catching an administrator really falls apart," he said. "You'd need physical access to the administrator's machine, then you'd need to make changes to folders on the machine and then entice (the administrator) to go in and take some action."

Culp said basic security precautions exercised by most administrators ruled out the exploit as a realistic threat.

He added that Microsoft has shown a strong commitment to security, soliciting bug reports from the public and responding in a timely fashion. Culp said the Security Response Center thoroughly investigates all bug reports. It has received about 5,000 bug notifications. Of those, only 400 required full investigations, resulting in the 55 security patches that have been issued to date.

He cited Microsoft's security upgrade to Outlook Express in the wake of the "I Love You" virus attack as an example of the company's strong stance on security.

Culp criticized Guninski for going public with today's report just 12 hours after notifying Microsoft, giving the company insufficient time to investigate the vulnerabilities and respond.

"There is an industry consensus about how to handle security vulnerabilities that is very different than the way this one was reported," he said.