[12906] in North American Network Operators' Group
IE 4.0 Security Flaw
daemon@ATHENA.MIT.EDU (James Philpott)
Fri Oct 17 15:23:47 1997
From: James Philpott <JamesP@MetaInfo.com>
To: "'nanog@merit.edu'" <nanog@merit.edu>
Date: Fri, 17 Oct 1997 12:00:59 -0700
Imagine.
IE 4.0 Security Flaw
(http://www.zdnet.com/pcmag/news/trends/t971017a.htm)
German experts uncover a browser bug with an effect similar to the
Navigator
bug exposed last June.
(10/17/97) -- Last June, the Internet community went into an uproar when
a
Danish computer consultant discovered a security flaw in the first
release of
Netscape Navigator 4.0. The bug would let clever intruders get access to
Web
surfers' local files.
Now it's Microsoft's turn.
Yesterday, the German computer magazine C'T reported that Ralf Hueskes,
a
consultant at a German company called Jabadoo Communications, found a
similar
security hole in Microsoft Internet Explorer 4.0 when he reviewed the
browser
for that magazine.
Using Dynamic HTML, an intruder can hide a 1- by 1-pixel IFRAME with a
reference to the file he wants to see (the path and the name) in a Web
page or
a mail message. When the victim reads the page or message, the browser
or
Outlook Express client loads the referenced file into an invisible
window via a
small Jscript (or any ActiveScripting) program. An additional hidden
IFRAME
sends it to the intruder's server. The intruder can't change or delete
the
file; he can simply read it. Interestingly, the flaw does not seem to
appear in
Macintosh versions of the browser.
Because the file needs to load into a browser frame, the bug allows
access only
to text or HTML files. And since a file's exact location in the file
system may
not be obvious, the potential for mischief isn't necessarily huge.
C'T alerted Microsoft Germany of the problem, and officials said
Thursday night
that Microsoft would post a fix on its site as early as today.
Representatives
at Microsoft's U.S. headquarters also confirmed to The San Jose Mercury
News
that the company would make a patch available, and they pointed out that
users
can protect themselves by disabling Active Scripting (View/Internet
Options/Security/Custom/Settings/Scripting). Note, however, that
disabling
scripting will make much Web content inaccessible.--Larry Seltzer and
Don
Willmott
