<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="Content-Language" content="en-us"> <title>Serious Internet Explorer Defect</title> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta name="description" content="Computer Security"> <meta name="keywords" content="virus, worm, trojan, computer security, hacker, hacking, privacy"> <meta name="htdig-keywords" content="virus, worm, trojan, computer security, hacker, hacking, privacy"> <link rel="STYLESHEET" type="text/css" href="http://www.jmu.edu/computing/it1.css"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="Microsoft Border" content="tlb, default"> </head> <body><table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td bgcolor="#ffffff"> <a name="top"></a> <table width="100%" border="0" cellspacing="0" cellpadding="0" summary="This layout table is used to create the header."> <tr> <td width="60%" align="left" class="header"> <a href="http://www.jmu.edu/"><img src="http://www.jmu.edu/computing/images/jmuheader.jpg" height="46" vspace="0" hspace="0" border="0" alt="Click here to return to the James Madison University main page"></a><br> </td> <td width="40%" class="header" align="left" style="background-image: url(http://www.jmu.edu/computing/images/bar.jpg);">   </td> </tr></table> <table width="100%" border="0" cellspacing="0" cellpadding="0" summary="This layout table is used to create the header navigation."> <tr><td width="75%"> <a class="header" href="/computing/">Computing Home</a> | <a class="header" href="/computing/helpdesk/selfhelp/">Self-Help</a> | <a class="header" href="/accounts/">Accounts Info</a> | <a class="header" href="/computing/download/">Downloads</a> | <a class="header" href="https://ecampus.jmu.edu">e-campus</a> | <a class="header" href="/computing/forms/">Forms</a> | <a class="header" href="/computing/password/">Passwords</a> | <a class="header" href="http://www.jmu.edu/">JMU</a></td> <td class="headerdate" width="25%" align="right"> November 19, 2002</td> </tr> </table> </td></tr></table><table dir="ltr" border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td valign="top" width="1%" bgcolor="#ffffff"> <table width="100%" border="0" align="center" cellspacing="0" cellpadding="0"> <tr>  <td width="17%" valign="top">  <div align="left"><br> <br> </div> <table width="200" cellpadding="0" cellspacing="0"> <tr><td class="sidehead">Search Computing</td></tr> <tr><td> <form method="post" action="/cgi-bin/htsearch"> <input type="hidden" name="restrict" value="/computing/"> <input type="hidden" name="exclude" value="/newsletter/cc/"> <input type="hidden" name="exclude" value="/newsletter/oldcc/"> <input type="hidden" name="config" value="searchjmu"> <label for="words"><span class="note">Enter</span></label> <input type="text" name="words" size="8" id="words" value="keywords"> <input type="submit" value="Go"> </form> </td></tr> <tr><td><a class="sidebar" href="/computing/sitemap.shtml">Site map</a></td></tr> <tr><td class="sidehead">Updates</td></tr> <tr><td><a class="sidebar" href="http://forums.jmu.edu/viewforum.php?f=1">System Alerts</a></td></tr> <tr><td><a class="sidebar" href="/computing/security/index.shtml#egreet">E-Greeting Threats</a></td></tr> <tr><td><a class="sidebar" href="/computing/security/info/klez.shtml">Klez Virus</a></td></tr>  </table>  <table width="200" cellpadding="1" cellspacing="0"> <tr><td class="sidehead">Computer Security</td></tr> <tr><td><a class="sidebar" href="http://www.jmu.edu/computing/security">Computer Security Home</a></td></tr> <tr><td><a class="sidebar" href="http://www.jmu.edu/computing/violation.shtml">Report Abuse</a></td></tr> <tr><td><a class="sidebar" href="https://secureweb.jmu.edu/computing/security/existing.shtml">Email and Network Blocks</a></td></tr> <tr><td><a class="sidebar" href="http://www.jmu.edu/computing/runsafe">R.U.N.S.A.F.E.</a></td></tr> <tr><td> <a class="sidebar" href="http://www.jmu.edu/computing/security/sa">Security Awareness Training</a></td></tr> <tr><td><a class="sidebar" href="http://www.jmu.edu/computing/security/index.shtml#virus">Viruses, Worms, and Trojans</a></td></tr> <tr><td><a class="sidebar" href="http://www.jmu.edu/computing/info-security/engineering/issues/howthe.shtml">How They Break In</a></td></tr> <tr><td><a class="sidebar" href="http://www.jmu.edu/computing/info-security/engineering/issues/jmufaq.shtml">Frequently Asked Questions</a></td></tr> <tr><td><a class="sidebar" href="http://www.jmu.edu/computing/policy/">Policies</a></td></tr> <tr><td><a class="sidebar" href="http://www.jmu.edu/computing/info-security/engineering/reports/philosophy.shtml">Philosophy</a></td></tr> <tr><td><a class="sidebar" href="http://www.jmu.edu/computing/security/it.shtml">IT Projects</a></td></tr> <tr><td><a class="sidebar" href="http://www.jmu.edu/computing/info-security/engineering/issues/resources.shtml">Other Resources</a></td></tr> </table> <table width="200" cellpadding="1" cellspacing="0"> <tr><td class="sidehead">Contact Us:</td></tr> <tr><td><a class="sidebar" href="mailto:flynngn@jmu.edu">flynngn@jmu.edu</a></td></tr> <tr><td>540.568.2364</td></tr>  </table> <table width="100%" cellpadding="0" cellspacing="0" summary="This layout table is used to create sidebar navigation."> <tr><td class="sidehead">Policy & Security</td></tr> <tr><td><a class="sidebar" href="/computing/security/">Computer Security</a></td></tr> <tr><td><a class="sidebar" href="/computing/policy/">Computing Policies</a></td></tr> <tr><td><a class="sidebar" href="/computing/runsafe/">R.U.N.S.A.F.E.</a></td></tr>  <tr><td><a class="sidebar" href="/computing/violation.shtml">Report a violation</a></td></tr> </table> <table width="100%" cellpadding="0" cellspacing="0" summary="This layout table is used to create sidebar navigation."> <tr><td class="sidehead">Computing Links</td></tr> <tr><td><a class="sidebar" href="/computing/af/">AVP Information Technology</a></td></tr> <tr><td><a class="sidebar" href="/computing/campuslink/">CampusLink</a></td></tr> <tr><td><a class="sidebar" href="/computing/campusnet/">CampusNet</a></td></tr> <tr><td><a class="sidebar" href="/computing/support/">Computing Support</a></td></tr> <tr><td><a class="sidebar" href="/computing/dba/">Database Administration</a></td></tr> <tr><td><a class="sidebar" href="/computing/desktop/">Desktop Services</a></td></tr> <tr><td><a class="sidebar" href="https://ecampus.jmu.edu">e-campus</a></td></tr> <tr><td><a class="sidebar" href="/computing/helpdesk/">HelpDesk</a></td></tr> <tr><td><a class="sidebar" href="/computing/is/">Information Systems</a></td></tr> <tr><td><a class="sidebar" href="/computing/labs/">Labs</a></td></tr> <tr><td><a class="sidebar" href="/computing/network/">Network Services</a></td></tr> <tr><td><a class="sidebar" href="/computing/pcservices/">PC Services</a></td></tr> <tr><td><a class="sidebar" href="/computing/systems/">Systems and Operations</a></td></tr> <tr><td><a class="sidebar" href="/computing/telecom/">Telecommunications</a></td></tr> <tr><td><a class="sidebar" href="/computing/techsvcs/">Technical Services</a></td></tr> </table> </table> </td><td valign="top" width="24"></td><td valign="top"> <p> </p> <p> </p> <h2>Serious Internet Explorer Defect</h2> <p>This is a developing issue and the information presented here is preliminary in nature and subject to frequent changes. Last significant update - 11/08/02-1830</p> <p><b>There is no exploit code posted on this page nor has there ever been. Only defensive measures are described.</b></p> <h3> </h3> <h3>SUMMARY</h3> <p>A simple way to exploit an unfixed defect in Internet Explorer has been discovered that allows malicious web sites, and possibly malicious email messages read with Outlook or Outlook Express, to take control of a computer. All you would need to do is click a web link and the owner of the web site could take almost any action they desired on your computer.</p> <p>Simple, working exploit software was recently published to a public mailing list.</p> <p>There is no patch to fix the problem. Anti-virus and personal firewall software will not prevent an exploit. It is hoped that Microsoft will provide a patch to fix this defect in the near future.</p> <p>It is impossible to predict how, when, or even if someone will take advantage of this but due to the ease with which bad things can be accomplished it was decided to post an announcement. Nothing at all may happen. Or someone could write a virus or put up a malicious web site to take advantage of the situation at any time. The last time a defect exploit with similar characteristics was published, it was quickly incorporated into many email viruses making it unnecessary to click an attachment to get infected. </p> <p>The following practices are recommended for users of Internet Explorer, Outlook, and Outlook Express until more information becomes available:</p> <ol> <li>Users of Outlook and Outlook Express should perform the following simple, unobtrusive procedure to disable scripts from executing in email messages:<p>Click the Tools menu item and select Options</p> <p>Click the Security tab</p> <p>In <b>Outlook Express</b>, make sure the Virus Protection security zone is set to <b>Restricted site zone</b> as shown in the window below:<br><br></p> <p> <img border="0" src="iehot.2.jpg" width="439" height="460"><br><br> </p> <p>In <b>Outlook</b>, make sure the Secure Content Zone is set to <b> Restricted Sites</b> as shown in the window below:<br><br></p> <p> <img border="0" src="iehot.3.jpg" width="439" height="459"><br><br> </p> <p>These are the default settings for Outlook 2002 and Outlook Express 6. Users of earlier versions should change the setting to Restricted.<br> <p> </li> <li>Indiscriminate browsing of untrusted or questionable web sites should be avoided or scripting should be disabled as described in the additional security measures below. Note that hyper links sometimes appear in email or instant messages. If these messages are from malicious individuals, they could lead you to a malicious web site.<br><br></li> <li>Indiscriminate clicking of hyper links in unexpected or suspect email messages, instant messages, and peer sharing resources should be avoided or scripting should be disabled in Internet Explorer as described in the additional security measures below.<br> </li> </ol> <p> </p> <h3>ADDITIONAL SECURITY MEASURES AND INFORMATION</h3> <p>There is only one technical defense Internet Explorer users can use against an exploit at the present time and that is to disable scripting in Internet Explorer, Outlook, and Outlook Express. Instructions for disabling scripting in the mail clients were included in the recommendations above and should have little or no effect on day to day use.</p> <p>Unfortunately, disabling scripting in Internet Explorer will adversely affect the operation of many web sites including E-campus and the Windows Update Site. There is, however, a way to specify trusted web sites that are are allowed to use scripting and disable it for all others. Users desiring to decrease risk may follow the instructions at the following web site under the section titled "Optional Internet Explorer Security Measures":</p> <p> <a href="http://www.jmu.edu/computing/info-security/engineering/issues/ie.shtml#opt">http://www.jmu.edu/computing/info-security/engineering/issues/ie.shtml#opt</a></p> <p>Risk associated with this exploit and most others can be somewhat reduced by using a non-Administrative Windows account when browsing the web, reading email, and other day to day computer use.</p> <p>The defect has been verified in Internet Explorer 5.5 and 6 SP1 running on Windows 98 and XP SP1 respectively. It is likely all varieties of 5.5 and 6 are vulnerable. A quick attempt on a Windows 95 computer running IE 5.0 was unsuccessful but not enough research was done to know why.</p> <p>A possible symptom of an exploit is a Window similar to the one below suddenly appearing on your screen after clicking a hyperlink or opening an email message. The exact appearance of the Window may vary depending upon the version of Internet Explorer and operating system. <b>Note that this window will appear if you click Help and under that circumstance the window appearance is not an indication of an exploit</b>. If you are affiliated with James Madison University and see this window unexpectedly appear after clicking a web hyperlink or reading an email message, please <a href="mailto:flynngn@jmu.edu">contact Gary Flynn</a> at x82364 ASAP. People affiliated with James Madison University can find my home number in the local directory and are encouraged to call me at home if such an event takes place after normal working hours.<br>  </p> <p></p> <p></p> <p></p> <p></p> <p><img border="0" src="iehot.1.jpg" width="550" height="450"></p> </td></tr></table><table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td bgcolor="#ffffff"> <table cellspacing="0" cellpadding="0" border="0" summary="This layout table is used to create footer navigation."> <tr> <td><a href="http://www.jmu.edu/adminfinance/" title="Vice President"> <img src="http://www.jmu.edu/computing/images/footer.gif" alt="JMU Division of Administration and Finance" border="0"></a></td> <td rowspan="3"><a class="footer" href="http://www.jmu.edu/" title="JMU Website"> <img src="http://www.jmu.edu/computing/images/james.gif" width="135" border="0" alt="James Madison University Website"></a></td> </tr> <tr> <td align="left"><img src="http://www.jmu.edu/computing/images/rule.gif" width="633" height="4" border="0" alt=""></td> </tr> <tr> <td class="footer"> Publisher:  <a class="foot" href="http://www.jmu.edu/computing/techsvcs/">IT Technical Services</a>   Contact: <a class="foot" href="mailto:flynngn@jmu.edu">Security Engineering</a> <br> Last Revised: November 19, 2002 <img src="/computing/images/nothing.gif" width="25" height="1" border="0" alt=""> <a class="foot" href="/jmuweb/privacy.shtml">Privacy Statement</a> </td> </tr> </table> </td></tr></table></body> </html>