Hueskes found that Microsoft's Dynamic HTML feature allows a Web page to steal any file from the computer of an IE4 user, as long as its name and path are known. Hueskes has posted a description of the exploit and a demonstration page. See this summary of all MS security bugs and exploits reported in TBTF in 1997.
Microsoft promises to close the security hole quickly
By Jo Bager, c't magazine
While surfing the Web or reading your email, an intruder from the Internet steals your data without hindrance. A horror vision? Microsoft's new Internet Explorer 4 makes it a reality. It allows the hiding of commands in an email or Web page, that secretly send files to unauthorized people.
Internet Consultant Ralf Hueskes, who reviewed IE4 for the German computer magazine c't, considers this security hole a severe problem for end users and companies: "Even a corporate network secured by a firewall is not protected against this attack." The security hole is not an error in the code, but is rooted in the design of the program, he says. It even exists when the browser's security options are set to "high" (the standard values).
It is possible for an intruder to steal at least text and HTML files; whether other file types are affected is not clear. The security hole exists in IE4 for Windows 95 and NT. Apparently, the preview version for the Apple Macintosh is not affected. The only obstacle for the intruder: he has to specify exact path names or Intranet addresses for the files. Since a lot of programs, e.g. when running with Windows, use standardized directory names, the thief would stand a good chance of locating, say, the security file for a user's copy of Quicken, for example.
The trick is quite easy. It is based on Microsoft's Dynamic HTML. The intruder hides a so-called IFRAME with a reference to the wanted document in a mail or Web page. When the unsuspecting victim reads, the Microsoft browser or the email client Outlook Express loads the referenced file into the IFRAME's invisible window. An additional hidden IFRAME then sends it to the intruder's server.
At the moment, the only way to protect your data is to disable the setting "Active Scripting" in the basic options of Internet Explorer for all Internet zones. (You can find it in the menu View > Internet Options > Security > Settings.) But if you disable Active Scripting you risk losing important program functions -- many Web offerings will not be accessible anymore.
Informed about the test results, Microsoft acted quickly. In the night of Thursday, software developers from the headquarters in Redmond held a telephone conference with editors from c't to get the technical details. They also accessed a German Web server that was set up especially to demonstrate the security hole. A spokesperson from Microsoft stated afterwards that a patch to correct the problem would be put on Microsoft's Web site on Friday, October 17th. But Microsoft does not consider the failure to be severe, he said. It wouldn't be possible to change or destroy files using this technique.