We have discovered a security flaw in version 3.0 of
Microsoft's Internet Explorer browser running under Windows 95. An attacker
could exploit the flaw to run any DOS command on the machine of an Explorer
user who visits the attacker's page. For example, the attacker could read,
modify, or delete the victim's files, or insert a virus or backdoor entrance
into the victim's machine. We have verified our discovery by creating a Web
page that deletes a file on the machine of any Explorer user who visits the
Microsoft has issued a
Internet Explorer. We have verified that the patch does fix the flaw.
The core of the attack is a technique for delivering a document to the
victim's browser while bypassing the security checks that would normally be
applied to the document. If the document is, for example, a Microsoft Word
template, it could contain a macro that executes any DOS command. The
attacker could arrange things so the macro was executed automatically as a
consequence of the victim visiting the attacker's page.
Normally, before Explorer downloads a dangerous file like a Word document,
it displays a dialog box warning that the file might contain a virus or
other dangerous content, and asking the user whether to abort the download
or to proceed with the download anyway. This gives the user a chance to
avoid the risk of a malicious document. However, our technique allows an
attacker to deliver a document without triggering the dialog box.
The attack does not require the user to approve any actions by answering
questions, requesting a download, or opening a document or program. Merely
visiting a Web page containing the attack is enough to expose you to it.
Microsoft has been notified and they are working on fixing the problem.
Until a remedy is widely available, we will not disclose further details
about the flaw. Further details will appear on this page at a later date.
We do not know whether Windows NT users of Internet Explorer 3.0 are affected,
though we suspect that they may be.
This flaw was found by Dirk
Balfanz and Edward
Felten. Contact Felten if you have questions.