Hacker Discovers New Way to Exploit IE Security Bug

by Brian McWilliams, PC World News Radio
January 15, 1998

The tight integration of Internet Explorer with Windows is being blamed for a new browser security flaw discovered Wednesday.

A Massachusetts college student and hacker named Dildog has released the source code for an attack that in some circumstances causes IE4 and IE4.01 to crash and then execute any attached binary code.

It's a new version of the RES bug discovered by Dildog in November, different only in that it's launched with a URL that begins with "mk" instead of one that begins with "res". And it affects not only Windows 95 machines, but NT systems as well.

Dildog told NewsRadio that IE4's buffer overflows when it encounters a Web page or an HTML e-mail message with the appropriate URL. That causes the browser to page-fault and then, in some cases, to run any binary code that's appended to the URL.

"Anything that uses mshtml.dll, or particularly urlmon.dll" is vulnerable, says Dildog. "Since IE is so integrated, almost all the apps that Microsoft writes end up using mshtml and urlmon...so they're all vulnerable."

A demo of the attack, which is available on the Web, causes some Windows 95 and NT machines to crash and download what Dildog says is a small, harmless file to your hard drive, which then automatically executes. Microsoft has not yet commented on the bug.

According to Dildog, there's currently no way for IE4 users to avoid the flaw, other than to use a different browser. He says there seems to be "a pattern of coding carelessness on the part of the IE4 people who wrote that particular section--it's happened twice in the same area. If there are any more [security holes] in there, how long is it going to be before people wise up?"