A blog about generally interesting infosec stuff by Darren Fuller/Paul Marsh, SecQuest Information Security https://www.secquest.co.uk

Friday, 9 December 2011

SmartScreen Filter Going Too Far?

Chatting to a friend earlier who had noticed requests for files on his server coming from unknown IP addresses.  Nothing weird about that, happens all the time...

BUT the files being requested had UNIQUE filenames known only to person-X and person-Y!

Looking in to this the issue is caused by IE9's SmartScreen protection. Files you download with IE are subsequently downloaded by a 3rd party, presumably for analysis. This could cause a serious breach of privacy and is DEFAULT behaviour.


Example:
User uses IE9 to request topsecretfile.exe from a server, downloads the file, job done.  The server logs a couple of minutes later look like this (lines formatted for legibility):

208.50.101.152 - - [09/Dec/2011:10:14:48 +0000] "GET /topsecretfile.exe HTTP/1.1"  
   200 270336 "-" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
64.124.203.73  - - [09/Dec/2011:10:15:27 +0000] "GET /topsecretfile.exe HTTP/1.1" 
   200 270336 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; 
   Trident/4.0; SIMBAR={DB2824C4-1E6B-11E0-BC3B-1C6F658133BA}; GTB6.6; SLCC2; 
   .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0;
   .NET4.0C; InfoPath.1; Windows Live Messenger 14.0.8117.0416)"

Weird huh! The top secret file you were sharing with a friend/customer/agency has been downloaded by someone else!

Zips don't escape the attention either..

64.124.203.78  - - [09/Dec/2011:10:43:56 +0000] "GET /topsecret.zip HTTP/1.1"
   200 345816 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
208.50.101.156 - - [09/Dec/2011:10:45:21 +0000] "GET /topsecret.zip HTTP/1.1"
   200 345816 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0
   (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; Foxy/1; KKMAN3.2; .NET CLR 
   2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; 
   .NET4.0C; .NET4.0E) Sleipnir/2.6.0"

You can set up .htaccess or similar on the server to block the following ranges if black helicopters are circling but this doesn't resolve the fact that possibly confidential files are being taken without you knowing. Probably overkill blocking whole subnets but something like:

Deny from 64.124.0.0/15
Deny from 74.217.0.0/16
Deny from 208.48.224.0/19
Deny from 208.49.0.0/16
Deny from 208.50.0.0/17

Seems odd that random user agents are being used too, why not just have "Mozilla/4.0 (Microsoft is checking your files for badness)" ?

IE9's advanced options allows you to disable the filter but it raises the question whether companies are unintentionally leaking data to Microsoft via their customers.

If you're concerned it's probably best to encrypt/password protect any files you're sending and communicate the password out of band!

Fully

No comments:

Post a Comment