CUSERT® Advisory CA-2000-02 Vulnerability in Feature Common to Most Major Web Browsers

This advisory is being published jointly by the CUSERT Coordination Center, d0d-CERT, and the d0d Joint Task Force for Computer User Stupidity (JTF-CUS).

Original release date: April 23, 2000
Last revised: May 12, 2001

A complete revision history is at the end of this file.

Systems Affected

Overview

A vulnerability has been discovered in most major web browsers which provides access to the local hard disk. This could result in fear, uncertainty, and doubt, which might cause numerous technical support calls, and chest pains. 

I. Description

Background

Most major web browsers provide a feature to view HTML encoded files on the local hard disk. This is accomplished by specifying file:///<path to document> as the document to view. Many of these web browsers are also configured to provide a directory listing if a directory is selected but no default HTML file is specified or the default HTML file is not present for that directory. 

The HREF HTML tag allows a web page designer to specify the protocol used to access web sites and files. Most modern web browsers do not perform error checking on these tags, instead relying on a lack of features to protect the user from malicious code.

II. Impact

Users may unknowingly follow a link placed by a malicious web designer, which would provide access to the local hard disk, via the web browsing software. For example, an attacker might include a link like:

<A HREF="file:///c:\">I 0wn j00r b0x!</A>

Following this link could create a sense of fear (ph33r), uncertainty, and doubt (FUD), which might result in several forms of denial of service, as described below. 

Example Denial of Service Issues

1) User's concern causes them to call Technical Support to report this issue. This combines with an existing issue with the Telephone Companies (TelCo), where a call in progress blocks further calls from being processed. This results in a Denial of Service issue for other users trying to reach Technical Support.

2) User's concern causes severe chest pains and a cessation of heart function, which results in a Denial of Service (blood flow) to the brain. Reduced blood flow to the brain (and the reduced oxygen flow this situation creates) can, in turn, cause severe damage to the brain, which creates further issues.

 

III. Solution

Solutions for Users

None of the solutions that users can take are complete solutions. In the end, it is up to the web browser developers to modify their applications to eliminate these types of problems.

However, users have two basic options to reduce their risk of being denied service through this vulnerability. The first, ensuring that the hyperlink does not reference a local file, provides the most protection but has the side effect for many users of disabling functionality that is important to them, such as clicking on anything that looks nifty.

The second solution, not using any services that requires a web browser, will significantly reduce a user's exposure. Users should select this option when they require the lowest possible level of risk.

Users who decide to continue operating their web brosers should periodically revisit the CUSERT/CC web site for updates, as well as review other sources of security information to learn of any increases in threat or risk related to this vulnerability.

CERT/CC Contact Information

Email: [email protected]
Phone: +1 900-IMA-USER (24-hour hotline)

CUSERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

 

Getting security information

CUSERT publications and other security information are available from our web site

 

Copyright 2000 Blake R. Swopes.


NO WARRANTY
Any material furnished by Computer User Stupidity Emergency Response Team/Coordination Center is furnished on an "as is" basis. CUSERT makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. CUSERT does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
Revision History

April 23, 2000: Initial release.
February 1, 2001: Modified CUSERT link.
May 12, 2001: Fixed formatting errors.