Stealing data via Internet Explorer 4

While surfing the Web or reading your email, an intruder from the Internet steals your data without hindrance. A horror vision? Microsofts new Internet Explorer 4 makes it a reality. It allows the hiding of commands in an email or Web page, that secretly send files to unauthorized people.

Internet Consultant Ralf Hueskes, who reviewed IE4 for the German computer magazine c't, considers this security hole a severe problem for end users and companies: "Even a corporate network secured by a firewall is not protected against this attack." The security hole is not an error in the code, but has its reasons in the concept of the program, he says. It even exists when the browsers security options are set to the standard values for "high".

This way it is possible to spy out text and HTML files at least. Whether there are other types of files affected is not cleared up at the moment. The security hole exists in IE4 for Windows 95 and NT. Apparently, the preview version for the Apple Macintosh is not affected. The only obstacle for the intruder: he has to specify exact path names or Intranet addresses for the files. Since a lot of programs, e.g. when running with Windows, use standardized directory names, the thief has a good chance to get the security file for a homebanking program, for example.

The trick is quite easy. It is based on Microsofts Dynamic HTML. The intruder hides a so-called IFRAME with a reference to the wanted document in a mail or Web page. While the unsuspicious victim reads, the Microsoft browser or the email client Outlok Express loads the referenced file into an unvisible window. An additional hidden IFRAME then sends it to the hackers server.

At the moment, the only way to protect your data is to disable the setting "Active Scripting" in the basic options of Internet Explorer for all Internet zones. (You can find it in the menu View", Internet options", security", settings".) But then, important program functions are lost - many web offerings are not accessible anymore.

Informed about the test results, Microsoft acted quickly. In the night of Thursday, software developers from the headquarters in Redmond held a telephone conference with editors from c't to get the technical details. They also accessed a German Web server, that was set up especially to demonstrate the security hole. A spokesperson from Microsoft stated afterwards, that a program to correct the problem would presumably be put on Microsoft's Web site on Friday, October 17th. But Microsoft regards the failure not to be severe, he said. It wouldn't be possible to change or destroy files this way.

Detailled information about the IFRAME security hole and protection mechanisms can be read on the Web server of Ralf Hueskes (http://www.jabadoo.de/press/ie4_us.html) and also in the upcoming issue 12/97 of c't, that will be published on October, 27th. (jk)