United States
Anatomy of an ARP Poisoning Attack
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
ProductsPartnersSupportAbout UsHow to BuySearchProfile
 
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

HTML Application files can cause trouble for IE users

About a week ago, Jeffrey van der Stad, a Dutch Web developer, stumbled upon a security vulnerability involving the way Internet Explorer (IE) 6 handles HTML Applications (HTAs). According to van der Stad's post, a malicious Web site can force IE to download and run a malicious HTA file without any user interaction. By enticing you to a Web site prepared with a boobytrapped HTA file, an attacker can exploit this flaw to execute code on your computer with your privileges, potentially gaining complete control of your system.

HTAs are executable Windows applications written using the same programming languages that Web sites use (languages like HTML, DHTML, Javascript, CSS, etc.). In other words, HTAs are a lot like locally executable Web pages, with one primary exception. Unlike theWeb pages you visit on the Internet, HTA files execute with no security restrictions. The zone security features in IE that prevent remote Web sites from running malicious scripts on your computer simply don't work when you execute HTA files. With so much unrestricted power, HTA files pose a significant security risk.

For this reason, Microsoft designed IE to inform you whenever you visit a Web site that tries to send you an HTA file. This feature should prompt you to decide whether or not you trust a site enough to download its powerful (and potentially malicious) HTA file. Unfortunately, van der Stad found a way to bypass this feature and force IE to download and run an HTA file without any user interaction.

Van der Stad has already informed Microsoft of this flaw. He expects them to release a patch during their April patch cycle (though it may slip to a May release). Until then, he won't release technical details concerning this flaw nor his Proof-of-Concept (PoC) code. We'll inform you as soon as Microsoft releases this patch. We recommend you apply it as soon as it comes out.

In the meantime, if you have a firewall or gateway device capable of blocking content by its file extension or MIME type, we recommend you use it to prevent your users from downloading ".hta" files and "application/hta" MIME content. (Fortunately for WatchGuard customers, most Fireboxes already block Web and e-mail based HTA files by default.) -- Corey Nachreiner

Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.