MIME Spoofing Risk

To me, this is the single biggest risk from a Windows bug we have seen yet - and it affects every version of Windows as shipped prior to Windows XP.  It has been routinely exploited by malware since BadTrans.B around November 2001.

To understand the bug, consider that a file that forms part of an "HTML page" has three indications of content:

Two basic issues combine to create this risk; the use of generic multi-purpose code to "open" files, and an absence of sanity-checking to ensure that these three content indicators match.

We have already seen how Office malware such as CAP exploit this scenario, in causing Word to run Word macros within files where these ought not to be present, e.g. .txt, .rtf or .htm files.  In this case, Word failed to check whether files that are internally in Word form (complete with auto-running macros) are named as such.  Perhaps there are contexts such as DDE or OLE where this context information is lost, but certainly, when "opening" an RTF file, Word should have had the street-smarts to consider extension-spoofing as possibly hostile in intent.

The MIME-spoofing risk is the same sort of flaw, but happening at a different level; between the name of a file, and the way it is wrapped in the HTML container document.  The flaw is in the HTML rendering engine that is part of Internet Explorer and used system-wide within Windows - so this affects Internet Explorer, Outlook, Outlook Express, and anything else that passes HTML to Windows to be displayed.

The broken HTML engine examines the MIME wrapper information and decides on this basis whether the file should be "opened" as part of the HTML display or linked to be optionally clicked.  If the wrapper describes the file as something to be "opened" as part of the page, it passes the file to the system's generic "file opener"; this then "opens" the file. 

Because no check is made on whether the file extension or internal content (which the generic "file opener" will use to decide how to "open" the file) correlates with the MIME wrapper (on which the HTML renderer based the decision to "open" the file), it is possible to wrap dangerous file types, such as raw code, as if they were part of the page to be displayed.

The result; such files will be run automatically whenever the container HTML is (pre)viewed.  The user has no chance to veto this, as no clicking is involved, and walling out embedded HTML scripts etc. has no effect.

Early descriptions of this risk referred to it as an IFrame problem, but while IFrame provides a convenient way to exploit the bug, it's not necessary.  So filtering mail for <$i$f$r$a$m$e (in impoverished form) cannot be relied upon to catch such exploits.

Product recall?

Microsoft have not recalled any product, shipped fixing CDs to vendors, or slipped a companion CD into unsold stock; if you buy Windows 98SE or Windows Millennium today, you will get the same dangerously broken engine.   "Product recall", software industry style, is where the vendor puts the fix on a web site and the user has to download it - no matter how large the download or impractical this may be.

Further, there is variance between the standard instructions issued by Microsoft, and what you actually need to do...

Stated vs. actual fix procedure

If your Internet Explorer version is affected and patchable, you are advised to download the patch and apply it.  If you do this, but your Internet Explorer is "too old" to be patched, the patching process will not tell you this; instead, it will tell you that you "don't need this update".   Trap number 1.

Trap number 2; there are two different patchable versions of Internet Explorer, the download patches have the same Q319182.EXE file name, but are internally different and incompatible - and there's no "readme" or equivalent whereby these files will document themselves.

If you know your Internet Explorer is "too old" for a simple patch, then you are to download and install a newer version of Internet Explorer and Outlook Express.  You are advised to follow the default installation procedure to do a full install; you are specifically advised against going "custom", and it is not stated which parts of the full install are required to fix the flaw.

However, on the IE/OE downloads I've seen, the default installation is "minimal install".  You have to choose "Customize your browser" instead, and then choose "Full" from the dropdown list in the dialog that follows - a bit different to the advice to "not go Custom", and that's trap number 3.

The safe, fixable and the doomed

Internet Explorer 5.01 SP2 and later - OK
Internet Explorer 5.5 SP2 and later - OK
Internet Explorer 6 and later - OK
Internet Explorer 5.01 SP1 - patchable
Internet Explorer 5.5 SP1 - patchable
Anything older - doomed, must be upgraded

What this means is that any Windows version older than XP is in fact unpatchable, as none of those OSs ships with Internet Explorer Service Packs applied.  Windows Millennium includes IE 5.5 SP0, Windows 98 Second Edition includes IE 5.00, and anything older is older.

Internet Explorer 6 will not install on any Windows 95 subversions, so you would have to use one of the fixed or fixable Internet Explorer 5.01 or 5.5 subversions.  It's not clear whether really old versions of Internet Explorer, such as 3.xx, are at risk - which creates a problem for older PCs that lack the RAM and hard drive space required for Internet Explorer 5.xx, and as these are likely to be too slow to run contemporary "underfootware" antivirus utilities, the risk becomes significant.

Salting them wounds

Having compelled you to upgrade Internet Explorer in "full" mode, the installation then leverages that famous Windows User Interface monopoly to push Outlook Express and (for Millennnium users) Windows Media Player in your face again.  Icons for these are liberally dotted over desktop, Start menu, Programs base level and Quick Launch, and in some cases the shortcuts are set as read-only, so that newbies will be scared off deleteing them.

If you should run one of these Outlook Express icons, Outlook Express will immediately set about making itself at home; importing mail account settings and message stores from competing applications, and setting itself as the default email application.

There are reasons why you may want to Just Say No - plus, if you had previously applied risk management to disable Windows Scripting Host, you'd have to do that all over again too.


(C) Chris Quirke, all rights reserved - December 2002

Back to index