Microsoft is struggling to patch up its sixth Internet security scare in a month - this time, one in which a Website can induce Windows 95, NT and 97 systems to cough up usernames and passwords without the user's knowledge.
Although the hole is known as IE Bug #4, it affects even the most recently patched versions of both Explorer and Netscape Navigator. It was discovered by Aaron Spangler, a systems administrator at the University of Washington, who says he has received little feedback from Microsoft on what it is doing to close the hole.
The problem concerns only users with direct IP connections, and firewalls can be configured to overcome it. A potential attack relies on the file structure of the Windows operating system, and the behavior of a browser when it encounters a URL that begins with the "file://" scheme. When Windows sees a file: URL, it attempts to read the specified file from the user's local hard disk.
But in the Windows file system, filenames that begin with a double backslash actually reside on another machine. When a user attempts to access a file through this method, a Windows machine will connect to the specified server - which will then attempt to authenticate the user by asking for a username and password.
Windows will automatically send the information entered by a user when they logged into their own Windows network, which is what most users do when they first boot their machine. Windows will only prompt the user for a password if the values entered at startup are not accepted by the remote server.
Spangler set up a Website to show how this feature could be exploited. His page contains two images which are not stored in the same directory as the other files on the page, but on an SMB Lanman server. In order for the client to download the images, the browser client needs to 'logon' to the Lanman server. In doing this, Windows simply forwards the username and encrypted version of the user's password to the Lanman server.
Spangler modified the Lanman server code to collect logins and passwords and set challenge response values in such as way as to ease cracking of encrypted passwords.
At press time he had collected passwords from around 1600 sites "371 [of which] were crackable within less than 5 minutes." Some were not even encrypted and others, from system administrator accounts, used very weak passwords, such as "dog".
Two fixes have been suggested. The first is that Netscape and Microsoft prevent their browsers from accepting URLs which come from an SMB server. Secondly, network administrators can protect users on their network by blocking TCP port 139 (the SMB port) on their outgoing firewall.
Spangler's site is at http://www.ee.washington.edu/computing/iebug/ - but Windows users who visit should be prepared to change their passwords afterwards.