MS IE User's Authentication Details (userid/password) Sharing Issue

From: Debasis Mohanty (mail@hackingspirits.com)
Date: Sun Dec 12 2004 - 16:57:27 EST


I would like to highlight an issue with IE which I have verified with
Microsoft before posting it here. This issue of IE has got very limited
security implications. I have also included the reply from Microsoft in this
post for reference.

The details of this IE issue can be found below:

Microsoft Internet Explorer User's Authentication Details Sharing
-----------------------------------------------------------------
Details:
When IE is configured to access internet using proxy, the user's
authentication details are cached locally without IE prompting the user.
Even though the "save my password" option is not checked, the user's proxy
authentication details are cached locally without the user's knowledge.

Since, user's details are restricted to each instances of IE and for each
new instances of IE opened by the user will prompt the user for entering
username / password to authenticate to the proxy. But if any html file is
opened locally in IE and then links are used to right-click and open a new
IE window then it doesn't ask for authentication. It is happening because
the saved user's details are being shared by the previously active browser
eventhough the user has not saved the userid/password.

There are two cases when every new instances of IE share the user's
authentication details with the previously active IE instance. They are:

a. If a simple html file (with any hyperlinks in it) is opened locally in IE
then the hyperlinks are used to surf the desired site then IE doesn't prompt
for any user authentication details as it shares the user's credentials from
the previously opened active IE instance.

b. If the user uses right click and open new IE window for any links from an
active IE instance then the new IE window shares the user's credentials from
the previously opened active IE instance.

Note:
# This doesn't happen when a complete new instance of IE is opened to surf
any link.
# This works even the user doesn't check the "save password" option to save
the password details.

I have tested this on the following environment:
Win2K (with SP4) + IE 6.0 and
WinXP (SP1 + hotfixes - SP2) + IE 6.0

Workaround (Provided by Microsoft):
***********************************
What could help resolve this is to perhaps explain the to a user via a Help
link on the credentials dialog that contains more details on just what "save
my password" means.

Patch Details (Provided by Microsoft):
**************************************
We've opened a bug against the product to track this change and this
behavior, and this may be included in a future service pack for the
operating system.

===================================================
Reply From Microsoft
===================================================
From: Microsoft Security Response Center [mailto:secure@microsoft.com]
Sent: Thursday, December 09, 2004 7:05 AM
To: Debasis Mohanty
Cc: Microsoft Security Response Center
Subject: RE: MS IE User's Authentication Details (userid/password) Sharing
vulnerability [5694mr]

Hello Debasis:

We've investigated this and had the teams look at the possible security
related attacks here. From our understanding of the report, the security
implications here seem somewhat limited. Without "save my password"
credentials are persisted within the IE process. With "save my password"
credentials are persisted across IE sessions and IE instances. There may be
some perceived inconsistency, because in the UI, IE instances are not easily
distinguishable from the multiple sessions of a single IE instance.

What could help resolve this is to perhaps explain the to a user via a Help
link on the credentials dialog that contains more details on just what "save
my password" means.

We've opened a bug against the product to track this change and this
behavior, and this may be included in a future service pack for the
operating system.

I appreciate you reporting this to us.

Regards,
--Mike
===================================================

Note: This issue of IE has got very limited security implications.

 
Thanks & Regards,
Debasis Mohanty
www.hackingspirits.com



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:10 EDT