[387] in WWW Security List Archive
Re: What's the deal ?
daemon@ATHENA.MIT.EDU (Phillip M. Hallam-Baker)
Wed Feb 15 09:19:46 1995
To: www-security@ns2.rutgers.edu
cc: hallam@dxal18.cern.ch
In-reply-to: Your message of "Tue, 14 Feb 1995 12:53:07 PST."
<Pine.BSD.3.91.950214124043.18272e-100000@get.wired.com>
Date: Wed, 15 Feb 1995 11:30:10 +0900
From: "Phillip M. Hallam-Baker" <hallam@dxal18.cern.ch>
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
There was a security bug in a modified version of a browser used by a
company as part of their software distribution system. This effectively
had the shell registered as the mime handler for the shell content type.
Go figure.
This feature was discovered by a researcher here a few days after the product
was released and the company involved was informed. They stopped distribution
immediately.
I agree with Brian that certification of adherence to standards would be
a usefull role for W3C, but I would not wish to be liable for security
loopholes in someone else's product. Its bad enough having one's own
code to worry about.
Phill Hallam-Baker
