msie.5.0.hta.txt

`Date: Tue, 8 Jun 1999 08:41:54 -0400  
From: "Noller, Jesse" <[email protected]>  
To: [email protected]  
Subject: IE 5.0 and HTAs Security hole  
  
Good day:  
  
I recently set up an NT box, with just the basic setup, no other  
modifications, other than SP5, and an installation of Internet Explorer 5.0.  
I was pondering writing some HTAs (HTML Applications) for my web-design  
business when I thought about the relationship between IE 5.0 and HTA's.  
After some testing with different types of code and operating systems, a  
certain realization occured to me.  
  
One of the main advantages of HTAs over regular Web pages, is that  
they are fully trusted. As such, HTAs are allowed actions that Internet  
Explorer would never approve of for Web pages. The bottom line is that HTAs  
do not bother the user with questions and interruptions. They are *fully*  
trusted.  
  
There are several implications for being a trusted application. HTAs  
have read/write access to the system registry on the client machine. HTAs  
run embedded ActiveX controls and Java applets without any warning. Zone  
security is off for HTAs, so all operations subject to security zone options  
are nevertheless permitted for HTAs.  
  
So, I program a VB program set to nuke certain system files (Virus  
Scan system files, Ini's, even registry keys), attaching it to an  
installshield wizard. So, instead of allowing the typical user to download  
and run the program, where, possibly, my hostile code, and program might  
otherwise be discovered, I simply say, "Please run this application from the  
current location". Although advanced users would know better, this is  
becoming the norm, so, many users might not. I have now opened the door,  
inserted my code, and destroyed your data.  
  
Now, when running something like this under administrator privileges  
in NT, not only does it open the registry, but the entire system. Simple  
trojans like netbus can then be installed without end-user knowledge. It can  
also allow for theft of encrypted data and password files.  
  
Although precautions for this can be taken, as I stated earlier,  
many user might not know. I know on our local intranet, we run HTAs  
frequently for software updates. Microsoft has end-users execute them also.  
This security hole affects all versions of win 9x/NT.  
  
My main testing simply consisted of me downloading multiple types of  
virus scanning utilities, installing them, then building the Installshield,  
and attaching Netbus and a hostile VB program to wipe out viruscan system  
files, reboot the machine, and continue the install. I then programmed the  
HTA, and executed it on more than Win box.  
  
Netbus was succsessfully installed, giving me system access. I,  
however, had been logged in as Admin. Many people might not do this on  
console regularly, but many do. I do believe, however, this bug is reliant  
on having IE 5.0 INSTALLED ON THE MACHINE. I have not yet had a chance to  
test it with anything lower.  
  
Please let me know what you think.  
  
  
-Jesse Noller  
Consultant - New Boston Systems  
[email protected]  
  
  
Bill Gates on marking territory:  
  
"I don't know if he's referring to pissing on JFC or pissing on JDK 1.2. Nor  
do I know is what he specifically means by 'pissing on'.... I think it's a  
term of multiple meanings."  
  
Bill Gates, in videotaped testimony, responding to questions about an email  
message from Microsoft's Ben Slivka that discussed Microsoft's strategy  
toward Java Foundation Classes included in the Java Development Kit 1.2.  
  
`