CUSERT® Advisory CA-2000-02 Vulnerability in Feature
Common to Most Major Web Browsers
This advisory is being published jointly by the CUSERT Coordination Center,
d0d-CERT, and the d0d Joint Task Force for Computer User Stupidity (JTF-CUS).
Original release date: April 23, 2000
Last revised: December 25, 2012
A complete revision history is at the end of this file.
Systems Affected
- Most major web browsing software
Overview
A vulnerability has been discovered in most major web browsers which
provides access to the local hard disk.
This could result in fear, uncertainty, and doubt, which might cause numerous
technical support calls, and chest pains.
I. Description
Background
Most major web browsers provide a feature to view HTML encoded files
on the local hard disk. This is accomplished by specifying file:///<path to
document> as the document to view. Many of these web browsers are also
configured to provide a directory listing if a directory is selected but no
default HTML file is specified or the default HTML file is not present for that
directory.
The HREF HTML tag allows a web page designer
to specify the protocol used to access web sites and files. Most modern web
browsers do not perform error checking on these tags, instead relying on a lack
of features to protect the user from malicious code.
II. Impact
Users may unknowingly follow a link placed by a malicious web
designer, which would provide access to the local hard disk, via the web
browsing software. For example, an attacker might include a link like:
<A HREF=”file:///c:\”>I 0wn j00r b0x!</A>
Following this link could create a sense of fear (ph33r), uncertainty,
and doubt (FUD), which might result in several forms of denial of service, as
described below.
Example Denial of Service Issues
1) User’s concern causes them to call Technical Support to report this issue.
This combines with an existing issue with the Telephone Companies (TelCo), where
a call in progress blocks further calls from being processed. This results in a
Denial of Service issue for other users trying to reach Technical Support.
2) User’s concern causes severe chest pains and a cessation of heart
function, which results in a Denial of Service (blood flow) to the brain.
Reduced blood flow to the brain (and the reduced oxygen flow this situation
creates) can, in turn, cause severe damage to the brain, which creates further
issues.
III. Solution
Solutions for Users
None of the solutions that users can take are complete solutions. In the end,
it is up to the web browser developers to modify their
applications to eliminate these types of problems.
However, users have two basic options to reduce their risk of being denied
service through this vulnerability. The first, ensuring that the hyperlink does
not reference a local file, provides the most protection but has the side effect for many users
of disabling functionality that is important to them, such as clicking on
anything that looks nifty.
The second solution, not using any services that requires a web browser, will significantly reduce a user’s exposure. Users should select
this option when they require the lowest possible level of risk.
Users who decide to continue operating their web brosers should periodically revisit the CUSERT/CC web site for updates, as well as
review other sources of security information to learn of any increases in threat
or risk related to this vulnerability.
CERT/CC Contact Information
Email: [email protected]
Phone:
- +1 900-IMA-USER (24-hour hotline)
CUSERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other hours, on
U.S. holidays, and on weekends.
Getting security information
CUSERT publications and other security information are available from our web
site
https://www.bhodisoft.com/CUSERT/
Copyright 2000 Blake R. Swopes.
NO WARRANTY
Any material furnished by Computer User Stupidity Emergency Response
Team/Coordination Center is furnished on an “as is” basis. CUSERT
makes no warranties of any kind, either expressed or implied as to any matter
including, but not limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the material. CUSERT
does not make any warranty of any kind with respect to freedom from patent,
trademark, or copyright infringement.
Revision History
April 23, 2000: Initial release.
February 1, 2001: Modified CUSERT link.
May 12, 2001: Fixed formatting errors.
December 25, 2012: Moved to new CMS.