Norton Utilities, Internet Explorer Combo Puts Systems in Harm's Way By David Berlind Testing by Joe Moran Combination of NU 2.0 for Windows 95 and Internet Explorer 3.x highlights security weaknesses in ActiveX controls Your worst fears have come true. McAfee Associates has discovered, and Windows Sources has confirmed, a flaw in the underlying architecture of Internet Explorer and Windows 95 that renders users of the Web vulnerable to a range of catastrophes. These disasters range from an involuntary reformatting of your hard drive to breach of information once thought to be secure. Users running the combination of Windows 95, Internet Explorer 3.x, and Symantec's Norton Utilities 2.0 for Windows 95, one of the most popular and widely used software utility products for Windows 95, are currently known to be at risk. (In the spirit of disclosure, users should be aware that McAfee Associates and Symantec Corp. are competitors in the utilities and anti-virus software market.) Neither Verisign's Authenticode (which is built-in to Internet Explorer) or recent IE security patches posted on Microsoft's Web site offer any protection. According to Reston, VA-based research firm PC Data, 143,559 licenses have been issued for Norton Utilities, and 125,825 users have Internet Explorer. The number of users who have actually deployed both at the same time is unknown. The problem lies in TUNEOCX.OCX, a core component of Norton Utilities' System Genie. When installed, this OCX is marked as scriptable, which allows ActiveX-aware Web page scripts to make use of this ActiveX control. This control supports a "run" option that allows the script to execute any local application, such as the FORMAT or FTP (net-based file transfer) commands. Windows Sources analysis of Norton Utilities found that this component essentially granted unauthorized access to any system resource that is normally accessible from the desktop itself. As a result, any programmer with access to one of Microsoft's scripting tools (VBScript, MS C++, Visual C++, Visual J++, etc.) can leverage this control to perform any task on the target system -- unbeknownst to the system's user. For example, a Web page hacker could build a page that, when viewed by Internet Explorer, runs a few lines of VBScript code that wipes out a hard drive, installs a Trojan horse, or invokes file transfer and directory utilities to retrieve confidential information. Worse yet, all these tasks could be performed in the background without the user ever knowing what's happening to their system. Verisign's Authenticode, billed by Microsoft as a protection mechanism built into Internet Explorer that allows users to intervene before potentially dangerous code is downloaded, is ineffective against this sort of invasion. That's because Authenticode watches for software that's about to be downloaded, but not VBScripts that activate software components that are already installed on the system (e.g.: TUNEOCX.OCX). Although the aforementioned combination of software is currently the only known group at risk, there could be other combinations of application and ActiveX-based browsers that are equally vulnerable. The smoking gun in this example is Norton Utilities 2.0, but NU simply exposes an important and oft-debated feature/weakness in Microsoft's ActiveX architecture. Other products that are already deployed en masse could be "offering" the same service to those with malicious intent. In tests, Windows Sources found the same combination running on Windows NT (including the NT-based version of NU) to be safe. HealthyPC, another PC tune-up utility from Symantec also tested safe at Windows Sources. SYMANTEC, MICROSOFT RESPOND According to Symantec Sr. Product Manager Tom Andrus, "It is a problem. We know how serious it is. But we think that it is very uncommon. To our knowledge, there are no Norton Utilities users in the world that have run into this." To Symantec's credit, Norton Utilities 2.0 includes a feature called Live Update that automatically updates a user's system with new drivers and software, when that system is connected to the Internet. "We've worked out a fix and it's in the hands of our quality assurance group right now," said Andrus. "By this afternoon, a fix will be up on-line so that any PC that connects to the Internet while running Live Update will be automatically fixed so as not to allow this again." For more information, users can go to www.symantec.com. Microsoft sought to put this situation in a more positive light, highlighting the ability to quickly fix the problem rather than the problem itself. "The fact that [Symantec] could fix it so quickly is a major testament to the flexibility of the ActiveX architecture," said Microsoft Program Marketing Manager Cornelius Willis. "Yes, this is a threat but there are so many threats. Vendors can mark off-the-shelf software safe-to-script or not-safe-to-script. For example, Microsoft Excel is marked not-safe-to-script because it has access to system resources. Therefore Excel is invulnerable to such attack. VBScript and JavaScript will only instantiate controls that are marked safe-to-script and this was one of them." "Plug-ins (a la Netscape's Navigator) have no digital certificates or safe-to-script toggles and we feel that ActiveX is the only architecture that offers any kind of accountability for downloaded software," added Willis. But, in Windows Sources tests of the Norton Utilities example, ActiveX offered no opportunity to engage this accountability since it involved a script acting against an already installed component (from shrink-wrapped software) rather than the downloading of software. SOLVING THE PROBLEM There are preventative measures users can take to protect themselves. Following one of these five steps will help protect your system from the effects of the toxic software combination: 1) Download the patch from Symantec 2) Uninstall Norton Utilities 3) Disable support for ActiveX-scripting in Internet Explorer 4) Switch to a non-ActiveX-based browser such as Netscape's Navigator, 5) Stay off the Net. Be warned also that, going forward, addressing the problem through Norton Utilities is not a complete fix. Downloading a patch or uninstalling NU will not protect a system if other equally vulnerable software is already installed. Additionally, disabling ActiveX scripting or switching to a non-ActiveX browser may disable other web- and ActiveX-based applications. Manually disabling Norton Utilities without uninstalling it is unlikely to safeguard the system and therefore is not recommended. Corporate sites that use Windows 95's centralized policy management features may also disable the ability to run Internet Explorer throughout their local area networks. Unfortunately, the same policy management feature doesn't provide centralized management of Internet Explorer's run options, making it impossible to reach across corporate nets and just disable support for ActiveX scripting. Finally, for those who are really paranoid, switching to Windows NT might be one last measure of assurance. Under Windows NT, software cannot be executed without a security token that authenticates the code's privileges to the system's resources. Such code usually inherits the rights of the user sitting at the machine, thus limiting intruding code to only the resources the user has rights to access. Provided that the user doesn't have administrator-level rights, the malicious code's impact could be far less catastrophic. For further discussion on this important issue, ask questions and express your opinions in the ActiveX Expert Answers Forum. For more coverage, check out the Anchordesk Copyright © 1997 Ziff-Davis Publishing Co. All rights reserved. Reproduction in whole or in part in any form or medium without the express written permission of Ziff-Davis Publishing Co. is prohibited. "Windows" and "Windows Sources" are trademarks of Microsoft Corp. and "Windows Sources" is used by Ziff-Davis Publishing Co.under license from the owner. Windows Sources is an independent publication not affiliated with Microsoft Corp. Send comments about this site to Windows Sources Webmaster.