MCI Telecommunications 

                        internetMCI Security Group


Report Title: iMCI MIIGS Security Alert 
Report Name: MS IE 3.0 Bug
Report Number: iMCISE:IMCIWPI:030397:01:P1R1
Report Date: 03/03/97
Report Format: Formal
Report Classification: MCI Informational  
Report Reference: http://www.security.mci.net
Report Distribution: iMCI Security, 
                     MCI Internal Internet Gateway Security (MIIGS), 
                     MCI Emergency Alert LiSt (MEALS)
                     (names on file)

-------------------------------------------------------------------------- 
Students at the Worcester Polytechnic Institute last week identified a
security exposure impacting Microsoft Internet Explorer, which provides
the ability for WEB Servers to run abritary commands on users of MS IE
3.0 browsers.

The following alert was reported on http://www.cybersnot.com/iebug.html:

 Internet Explorer Bug 2/27/97 (Version 3.0 (4.70.1155))

 Microsoft Internet Explorer v3.01 (and earlier?) has a serious bug which 
 allows web page writers to use ".LNK" and ".URL" files to run programs 
 on a remote computer. This bug is particularly damaging because it uses 
 NO ActiveX, and works even when Internet Explorer is set to its highest 
 security level. It was tested on Microsoft Internet Explorer Version 3.0
 (4.70.1155) running Windows 95. Windows 95 DOES NOT PROMPT BEFORE 
 EXECUTING THESE FILES. 

 .URL files are WORSE than .LNK files because .URLs work in both Windows 
 95 and Windows NT 4.0 (.LNK's only work in Windows 95). .URL files present 
 a possibly greater danger because they can be easily created by server 
 side scripts to meet the specific settings of a user's system. We will 
 provide .URL files for execution in the next day or so. 

 The "shortcuts" can be set to be minimized during execution which means  
 that users may not even be aware that a program has been started. 
 Microsoft's implementation of shortcuts becomes a serious concern if a 
 webpage can tell Internet Explorer to refresh to an executable. Or worse, 
 client side scripts (Java, JavaScript, or VBScript) can use the Explorer 
 object to transfer a BATCH file to the target machine and then META REFRESH 
 to that BATCH file to execute the rogue command in that file. 
 
 Security Comparision .URL vs .LNK 

 Naturally, the files must exist on the remote machine to be properly
executed. 
 But, Windows 95 comes with a variety of potentially damaging programs which 
 can easily be executed. 
 
 Microsoft says a bug-fix will be available within 48 hours (as of March 3, 
 1997) at:

 	http://www.microsoft.com/ie/default.asp 

 And have provided a technical update at:

 http://www.microsoft.com/ie/security/update.htm 

 Internet Explorer Bug
 Discovered By Paul Greene