June 5, 2002 Security Advisory

Hi everyone!

Yesterday, Online Solutions Ltd, a Finnish company, reported a new vulnerability in Microsoft’s Internet Explorer, that allows the built-in Gopher protocol to be 
exploited. Gopher was developed at the University of Minnesota in the early 
1990's. Gopher servers offer hierarchically organized directories and files. 
These form a "gopherspace" which can be thought of as the predecessor of the
World Wide Web. Gopher was mostly abandoned soon after HTTP and the 
World Wide Web started gaining popularity. 

Microsoft Internet Explorer’s gopher client enables gopher pages to be accessed 
via URLs starting with "gopher://". The part of code in IE which parses gopher 
replies contains an exploitable buffer overflow bug. A malicious server may 
be used to run arbitrary code on an IE user's system. The attack can be launched 
via a web page or an HTML mail message which redirect the user to a malicious 
gopher server when the victim views them. For example, a virus could be 
uploaded from the  malicious gopher server onto a remote computer using
this vulnerability.

Online Solutions recommends that until Microsoft releases a patch, IE 5.5 and
6.0 users should disable Gopher by going to the Tools menu and accessing 
"LAN Settings" under "Connections." They should then open the "Use proxy
server for your LAN" box and access the "Advanced Tab." Finally, users 
should go to the Gopher text field and enter "workinga.startlogicmysql.com" and "1" in the port 
setting box. 
To test whether your browser shows gopher documents, try this link:
gopher://www.solutions.fi:7000/0. If you get a text document and use Internet 
Explorer, you should follow the advice above to get protected from the 
vulnerability. If you get an error from IE saying the page can't be displayed, 
then you're probably safe. 

After modifying your IE software, you may want to go to the Microsoft 
website early next week as they will probably have a patch in a few days. 
If you want me to notify you when the fix is available, simply send me a 
reply message with your request.

The Microsoft patch will eventually be available from:
http://www.microsoft.com/technet/security/current.asp 

* To ensure your privacy, your address is not visible to the recipients of this
message. 
* If you would like to be removed from this list, please reply to this email
* with "remove" in the body of the email. 

Have a safe computing experience and don't forget to back up your files! 

Fredo
http://www.workingarts.com/infosecarchives