Internet Explorer File Corruption Bug

September 2, 1997

We recently discovered another security hole in Microsoft's Internet Explorer, which allows a hostile web page to silently corrupt files of users who view that page.

October 1, 1997 - This problem has been fixed in the latest release of Internet Explorer.

Thanks to all those who tested our examples on Windows NT.


Severity

This bug allows a hostile web page to write to the hard drive of users that view that page. The content of what is written is not easily controllable, and therefore this bug could not be used to introduce viruses onto a user's computer (to our knowledge at least). However, this bug can be used to corrupt files simply by over-writing them with garbage, thus making it simple to corrupt a user's hard drive.

In order to corrupt a file the hostile web page would also need to know the name of the file that it wants to corrupt. However, this lessens the severity of the bug very little because if you are running Windows there is a good chance that you have all of the following files, all of which would cause you great misery if corrupted:

     C:\autoexec.bat
     C:\windows\explorer.exe
     C:\windows\system.ini
...well, you get the picture. A hostile web page could just start writing to a large list of very common files (similar to the one above) and if the file already exists it will be corrupted (if it didn't exist, it will be created which could also potentially cause problems).

Finally, this bug is completely silent and it can easily run in the background as soon as a web page finishes loading without the user ever suspecting a thing until it's too late.


What browsers are vulnerable?

Microsoft Internet Explorer is the only browser (that we know of) which is vulnerable to this exploit. Netscape Navigator is not vulnerable and Mosaic is not vulnerable.

Microsoft Internet Explorer 3 and the last preview release of Microsoft Internet Explorer 4 running on Microsoft Windows 95 are both vulnerable, although not all copies of Internet Explorer 3.0 are vulnerable. Internet Explorer 3 requires additional components to be installed for this bug to pose a threat while these components ship standard with Internet Explorer 4 on Windows 95. Furthermore, several of these components changed names between the release of IE3 and IE4 so the same scripts that work in IE4 need some minor modifications to work in IE3 and vice versa, however a web page could easily contain an exploit for both browsers.

This bug does affect the Windows NT version of IE, but not the Windows 3.1 or the Macintosh versions according to Microsoft and other sources.


Examples

The following examples only work on Internet Explorer 4 (unless you have IE3 and have upgraded your JVM to the latest version, in which case they work in IE3 too). Versions of these examples could easily be written which will run in Internet Explorer 3 if you have the appropriate Direct X components installed.

Automatic File Corruption

This example exploit automatically creates a file on your machine called C:\badfile.bat after a ten second countdown. If a file already exists on your machine called C:\badfile.bat then it will be over-written with garbage.

By viewing this example exploit you agree not to reverse-engineer the example for malicious purposes.

I Agree | I Do Not Agree

Active File Corruption

This example exploit allows you to type the name of a file you would like to corrupt into a form in Internet Explorer. Internet Explorer will then corrupt the file if it already exists and it will create the file if it does not exist. Warning: this really will corrupt whatever file you type so only type the name of files that you wouldn't mind having deleted.

By viewing this example exploit you agree not to reverse-engineer the example for malicious purposes.

I Agree | I Do Not Agree


Why this bug is present

This bug is present because of Microsoft's proprietary extensions to Java. This is not a bug in Java, it is a bug in Microsoft's extensions to Java. Java's sandbox security model seems to be working well, but Microsoft has essentially built a ladder out of the sandbox which has left Internet Explorer with a defective sandbox.

Microsoft has good reasons to provide Windows specific extensions to Java - Java has the potential to make the operating system you use about as relevant as the type of keyboard you use, so Microsoft naturally wants to protect their territory (i.e., Windows). However, their hasty attempt to try and splinter Java into a Windows specific language is beginning to backfire, as predicted. Microsoft's refusal to ship standard Java components and their introduction of Windows specific extensions to Java are both attempts to make their claim that Java is not actually cross-platform a self fulfilling prophecy. Unfortunately, Internet Explorer users have been caught in the cross fire and have been left with a broken version of Java.


How to patch your copy of Internet Explorer

This bug is fixed in the latest version of Internet Explorer, and there is no longer a need to turn Java off. If you are using Internet Explorer you should download the latest version and turn Java back on (if you turned it off).

If you are using Internet Explorer 3 and you do not want to install Internet Explorer 4, you should install the final Java SDK 2.0 when it comes out in order to protect yourself from this bug.


Contact info