[10040] in bugtraq
Re: IE5 Feature/security hole
daemon@ATHENA.MIT.EDU (Eilon Lipton)
Tue Mar 30 21:10:37 1999
Date: Mon, 29 Mar 1999 15:41:00 -0500
Reply-To: Eilon Lipton <yoe@MEDIAONE.NET>
From: Eilon Lipton <yoe@MEDIAONE.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <36FF2164.39257EBC@utu.fi>
This is getting a bit off-topic, but anybody who is *that* concerned wi=
th
the privacy of what they type in their e-mail has two options:
1. Disable the feature in the Options
2. Keep the workstation locked when not present at it
All the main Internet settings, including all the Intelli-whatever stuf=
f are
stored in
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
There is also a key there,
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\SPW
Which has stuff in it such as:
"7* U0D7O=3D9FN+4 =3D 0x00000000 (0)
.[JYB C-HQN6EYE =3D 0x00000000 (0)
And several more.
These appear to be encrypted, but do not ask me how. I have 14 such
oddly-named keys in my registry and I have used this feature quite a lo=
t
(since the betas of IE5). It would be interesting if anybody could find=
out
how these are encrypted given the data that was encrypted and its encry=
pted
result.
Anyway, part of my point is that an administrator that is really worrie=
d
about his NT system can write a teeny little program that disabled all =
these
features and even denies user the right to modify these settings via th=
e
registry's security settings.
The other part is that a user on his/her own can protect themselves by
simply disabling this option (same as with the Netscape's "What's relat=
ed"
thingo, which is also now a feature in IE5, made by the same people,
methinks).
The other other part of my point is that some John Doe cannot just stea=
l the
stored stuff because as you see above that is nowhere near plaintext.
Eilon Lipton
yoe@mediaone.net
> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ@netspace.org]On Behalf Of Juha J=E4=
ykk=E4
> Sent: Monday, March 29, 1999 1:45 AM
> To: BUGTRAQ@netspace.org
> Subject: Re: IE5 Feature/security hole
>
>
> > According to Microsoft, the database (call it what you like)
> where all this
> > information is stored is encrypted, so you cannot just go to a rand=
om
> > machine and grab all the data - you must go to a form that has
> the proper
> > field names in order to get the information.
>
> Blast it! Where does the pass phrase come from? Does IE5 ask the us=
er
> for encryption password when this autofill feature is first used? Doe=
s
> IE5 ask the user for decryption password every time this feature is u=
sed
> during different sessions? (By session I mean running a program and
> shutting it down. The important thing here is it thus effectively era=
ses
> any memory cache it might have been using - if it remembered the
> password (as programs NEVER must)...) If you answered "no" to any of =
the
> above, then the password is stored somewhere and it can be retrieved =
and
> the "secure" encrypted storage decrypted by anyone who has access to =
the
> machine. This brings us back to square one: anyone with access to you=
r
> IE5 has access to anything you have ever typed in any form.
> By the way: where exactly are the entries stored? Are they secured
> with proper NTFS permissions or are they just left somewhere in
> %SystemRoot% with Everyone:F permissions so every user would use the
> same file or does every user have a distinct file (not that this woul=
d
> help with non-NT windows)?
> I just wonder, when will we see security in MS products, other than
> NT? I'm becoming really worried... now that NT5 is renamed, I'd not b=
e
> surprised if security had been also lost with the name...
>
> --
> Juha J=E4ykk=E4, juhaj@iki.fi
>
