Internet Explorer MSHTA Security Threat

I'd like to discuss a security threat which was recently discovered in Internet Explorer.

Mike Healan of Spywareinfo.com forwarded an article to me today. The article urges all Windows users to take the necessary precautions to secure their browsers from a nasty exploit recently discovered in Internet Explorer. The exploit allows hackers to gain control of a system and execute harmful code.

http://www.spywareinfo.com/articles/htasploit/

Without further adieu, here is the article by Mike Healan (edited):

--

Members of the SWI support forums have uncovered a very nasty flaw in Internet Explorer, which has already been exploited by hackers. The exploit allows Trojans and other malicious software into an unsuspecting machine via Internet Explorer, despite security settings.

How the Exploit occurs

A hacker may send a Trojan to any computer via the Internet by the use of an ActiveX component. Once the Trojan is executed, it then loads the Windows application "MSHTA.EXE" from the Windows Systems Folder. MSHTA.EXE is then put into "hot standby" mode, which is then ready to accept HTA scripting (programming code) from within any web page.

The flaw makes it possible for a website to embed malicious code (including more Trojans, worms and/or viruses) directly into a web page, and infect visitors instantly while visiting the site. Kevin McLeavy, developer of the BOClean anti-Trojan program, has long regarded MSHTA as a serious security threat.

" While Microsoft has, since our 'big stink' back in 2001, disconnected MSHTA from being invoked by Internet Explorer, it will still run what is presented to it when started on a local machine in the 'local machine' or 'my computer zone' since this is done on some corporate networks for the convenience of the glass room geeks. In other words, [all of] this completely bypasses the security zone structures ... [when the exploit is] presented with [an HTA] script, it will parse it and run it, despite [having a] firewall, or IE restrictions..."

This is a severe security risk, and it is recommended that MSHTA be disabled entirely unless you specifically need it to run as a service. Privacy Software Corporation has developed a program called "HTAStop", which allows you to quickly disable or enable HTA scripting from within Windows.

The program is located at:

http://www.nsclean.com/htastop.html

Side Note: The flaw cannot be exploited until after the original Trojan has been installed on a machine (whether by ActiveX, or other infection methods). It is recommended that you verify that your security settings for the "Internet Zone" (in Tools -> Options -> Security under IE) are set to "prompt or disable ActiveX that is signed and marked as safe". ActiveX which is "unsigned or not marked as safe for scripting" should be blocked entirely. If the author cannot be bothered to certify their software, you should not trust it to run on your machine.

Supplemental links

Privacy Software Corporation Security Advisory

http://www.nsclean.com/psc-htas.html

Mozilla: a free (and much more secure) Internet Explorer replacement browser:

http://www.mozilla.org/products/firebird/