Original release date: April 23, 2000
Last revised: May 12, 2001
A complete revision history is at the end of this file.
A vulnerability has been discovered in most major web browsers which provides access to the local hard disk. This could result in fear, uncertainty, and doubt, which might cause numerous technical support calls, and chest pains.
Most major web browsers provide a feature to view HTML encoded files on the local hard disk. This is accomplished by specifying file:///<path to document> as the document to view. Many of these web browsers are also configured to provide a directory listing if a directory is selected but no default HTML file is specified or the default HTML file is not present for that directory.
The HREF HTML tag allows a web page designer to specify the protocol used to access web sites and files. Most modern web browsers do not perform error checking on these tags, instead relying on a lack of features to protect the user from malicious code.
Users may unknowingly follow a link placed by a malicious web designer, which would provide access to the local hard disk, via the web browsing software. For example, an attacker might include a link like:
<A HREF="file:///c:\">I 0wn j00r b0x!</A>
Following this link could create a sense of fear (ph33r), uncertainty, and doubt (FUD), which might result in several forms of denial of service, as described below.
1) User's concern causes them to call Technical Support to report this issue. This combines with an existing issue with the Telephone Companies (TelCo), where a call in progress blocks further calls from being processed. This results in a Denial of Service issue for other users trying to reach Technical Support.
2) User's concern causes severe chest pains and a cessation of heart function, which results in a Denial of Service (blood flow) to the brain. Reduced blood flow to the brain (and the reduced oxygen flow this situation creates) can, in turn, cause severe damage to the brain, which creates further issues.
None of the solutions that users can take are complete solutions. In the end, it is up to the web browser developers to modify their applications to eliminate these types of problems.
However, users have two basic options to reduce their risk of being denied service through this vulnerability. The first, ensuring that the hyperlink does not reference a local file, provides the most protection but has the side effect for many users of disabling functionality that is important to them, such as clicking on anything that looks nifty.
The second solution, not using any services that requires a web browser, will significantly reduce a user's exposure. Users should select this option when they require the lowest possible level of risk.
Users who decide to continue operating their web brosers should periodically revisit the CUSERT/CC web site for updates, as well as review other sources of security information to learn of any increases in threat or risk related to this vulnerability.
CUSERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
Copyright 2000 Blake R. Swopes.