[4706] in WWW Security List Archive
Two More MSIE Bugs
daemon@ATHENA.MIT.EDU (David Kennedy)
Fri Mar 7 04:11:42 1997
Date: Fri, 7 Mar 1997 02:12:18 -0500
From: David Kennedy <76702.3557@compuserve.com>
To: Risks List <risks@csl.sri.com>,
"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>,
WWW Security List <WWW-SECURITY@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
Courtesy of the COMTEX Newswire via CompuServe's Executive News Service:
EliaShim warns of security hole in Internet Explorer
COMTEX Newswire 3/6/97 8:38 PM
> PC Week Online (March 6, 1997) - Less than a week after the
>discovery of a potential security gap in Internet Explorer 4.0,
>Microsoft Corp. may have another hole to fill.
> EliaShim Ltd., an anti-virus company, claims it has
>identified security problems in Microsoft Internet Mail and
>News applications. "Hostile links" can be embedded in newsgroup
>messages or in messages received by Internet Mail as shortcuts,
>company officials said.
Another Internet Explorer Bug Found
Courtesy of the COMTEX Newswire via CompuServe's Executive News Service:
> REDMOND, WASHINGTON, U.S.A., 1997 MAR 7 (Newsbytes) -- By Bob
>Woods. Another bug in Microsoft's [NASDAQ:MSFT] Internet
>Explorer (IE) World Wide Web browsing software has been
>discovered by a group of University of Maryland students. The
>students posted their results at their Web site today, and
>claimed that the bug could let a hacker remotely break into a
>user's computer or install viruses onto the system.
> UMD students David Ross, Dennis Cheng, and Asher Kobin found
>the bug in IE 3.01.
:: Microsoft acknowledge the bug but hasn't defined it full impact.
> The bug apparently centers around IE's Iframe, or floating
>frames feature.
The patch for the URL/LNK bug does not fix the UMD student's bug.
> The students' Web site is at http://dec.dorm.umd.edu/ .
> Microsoft's IE site is at http://www.microsoft.com/ie .
Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc.
