, SecurityFocus 2002-06-04
Browser's support for archaic technology lets attackers burrow in.The Gopher protocol has been forced underground since the advent of the World Wide Web. But the original Internet surfing technology can still put a nasty bite on users of Microsoft's Internet Explorer browser, a security researcher warned today.
A Gopher client nestled in the darkest corners of IE's code contains an exploitable buffer overflow bug that could allow a malicious server to run arbitrary code on a victim's computer, according to an advisory issued today by Jouko Pynnonen of Finland's Online Solutions.
While Pynnonen refused to provide technical details on exploiting the flaw, he said he has created a test exploit that runs without user intervention on "various IE versions and systems including IE 5.5 and 6.0."
Last December, Pynnonen was credited by Microsoft with identifying a
severe security flaw in IE that allowed an attacker to run a program on
another user's computer simply by causing the victim to view a Web page or open an HTML e-mail. In that instance, the researcher waited thirty days after the release of Microsoft's patch before disclosing technical details of the file-execution vulnerability.
Unlike IE, the Netscape 6 and Opera Web browsers are not by default configured to support the Gopher protocol.
Launching a Gopher attack does not require a fully operational Gopher server and instead merely requires that users view a Web site containing a program that listens on a TCP port and writes a block of data, according to Pynnonen's advisory.
"The exploiter could do anything that a regular user could do on the system: retrieve, install, or remove files, upload and run programs, etc.,"
A Microsoft representatives said the company is investigating Pynonnen's report but had no further comment, except to chide the researcher for potentially putting computer users at risk by publishing the information before "countermeasures" could be developed.
According to Pynnonen, concerned users can protect themselves from such Gopher attacks by disabling IE's built-in Gopher client from the LAN settings section of the Connections menu in IE's Internet Options folder. Instructions are provided in Pynnonen's advisory.
In an interview today, Pynnonen said he decided to publicize the Gopher flaw, even though Microsoft has only known about the bug since May 20 and has just begun to design and code a fix.
"We saw no point in waiting and leaving millions of IE users vulnerable for possibly months, while there is a simple and easy way to protect yourself," said Pynnonen, who noted that Microsoft required a week to reproduce the IE Gopher vulnerability after he provided the company with a demonstration site and exploit code.