[87566] in Cypherpunks
Possible Security Hole in Internet Explorer 4.0
daemon@ATHENA.MIT.EDU (Martin Minow)
Thu Oct 2 16:31:55 1997
Date: Thu, 2 Oct 1997 11:44:52 -0700
To: risks@csl.sri.com
From: Martin Minow <minow@apple.com>
Cc: cypherpunks@cyberpass.net
Reply-To: Martin Minow <minow@apple.com>
From a message in MacOSRumors <http://rumors.netexpress.net/> (I have
not independently verified this)
--- Begin quote ---
Internet Explorer 4.0 ships with major security hole....
With the Microsoft Internet Explorer 4.0 for Windows release only hours
old, users have already discovered a major security hole that smacks
painfully of Big Brother:
Most folks will remember the Netscape java bug that allowed you to snoop on
what people where visiting. Well IE4.0 goes a bit further than this -
Logging of your actions, even when you would otherwise be shielded by
proxies is BUILT-IN.
The channel definition format (.CDF)
http://www.microsoft.com/standards/cdf-f.htm
includes a LOGTARGET feature that allows a web site provider to make your
browser deliver logs of your usage via an http post or put. Even hits from
cache are logged. This is all not so good and getting worse. Not only is
the information posted material, you wouldn't want to give to a provider,
(considering) "http post/put" is normally spoofable anyway.
Unanswered question for next time - or for folks with more time than me to
follow up Can you put other sites in your channel definition and get logs
of when they read your competitor's site (with this system)?
Definitely not confidence-inspiring. It appears the Mac version is affected
by this same problem, as well...and neither platform has any means of
disabling this "feature" at present.
---
[Internet Explorer 4.0 has not yet been released for the Macintosh platform.]
Martin Minow minow@apple.com
