Security threats Toolkit

New Windows XP SP2 vulnerability exposed

Tags:
Exploit,
Windows XP,
IE,
Internet Explorer

Munir Kotadia ZDNet Australia

Published: 22 Nov 2004 12:50 GMT

According to security Web site K-otik, which is no stranger to controversy, it may be possible to create a custom "Error 404" message to disguise an executable file as 'safe' HTML code.

Error 404 messages are usually displayed when the browser cannot locate an Internet address.

According to K-otik, which has published exploit codes that take advantage of the flaw, it is possible to craft a special error message that is able to bypass a security function in IE that was created to warn users before they download potentially harmful content.

The advisory on K-otik's Web site states that although there is some user interaction required to exploit the vulnerability, it may be possible to fool a user into downloading and executing a malicious file by using a simple social engineering technique.

According to the advisory, a malicious Web site could prompt all its visitors with a standard grey dialogue box welcoming a user to the site before allowing access to the site's content. If a user clicks on the welcome box they could unknowingly install a file that gives control of their computer to a third party.

"IE attempts to intercept risky code and prompts a security warning message but it seems to allow custom HTTP errors to filter through those security checks. It may be possible to execute the downloaded file by simply forcing the user to press the Enter key," the advisory said.

On November 15, security firm Finjan claimed it had discovered ten flaws in Windows XP SP2 that could allow attackers to "silently and remotely take over an SP2 machine when the user simply browses a Web page".

According to Finjan, hackers could bypass XP SP2's notification mechanism about downloading and execution of .exe, which could let them download files without warning the user.

The code published on K-otik's Web site seems to exploit the same flaw.

At the time, Microsoft said it was investigating Finjan's claims but tried to play down the severity of the flaws.

In a statement, a Microsoft spokesperson said: "Our early analysis indicates that Finjan's claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities in Windows XP SP2."

Microsoft was unable to comment on K-otik's advisory and could not confirm if both companies has stumbled across the same flaw.

Munir Kotadia reported from Sydney for ZDNet Australia. For more ZDNet Australia stories, click here.

Jo Best of silicon.com contributed to this report.