[5409] in bugtraq

home help back first fref pref prev next nref lref last post

Fix Now Available for "Freiburg" Text-Viewing Issue

daemon@ATHENA.MIT.EDU (Aleph One)
Fri Oct 17 20:47:11 1997

Date: 	Fri, 17 Oct 1997 19:30:35 -0500
Reply-To: Aleph One <aleph1@DFW.NET>
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG

http://www.microsoft.com/ie/security/?/ie/security/freiburg.htm

   Fix Now Available for "Freiburg" Text-Viewing Issue
   This Page Last Updated on October 17, 1997

   Microsoft is now providing a fix to protect users' computers against a
   potential problem with Internet Explorer 4.0 known as the Freiburg
   text-viewing issue, which could allow a malicous Web site to obtain
   the contents from a text, HTML, or a graphic image (no other file
   types) from a user's hard disk. That information could not be damaged
   or manipulated on the user's computer, but it could be viewed.

   How to protect your computer: Below you can find out more about this
   potential problem. But first, here are two ways to protect your
   computer from it:
     * [15]Download the patch we just posted, which provides an easy and
       complete fix for the problem. (Many thanks to Ralf Hueskes from
       [16]Jabadoo Communications in Freiburg, Germany, for reporting the
       problem to Microsoft and helping us test this fix.)
     * Internet Explorer 4.0's Security Zones feature can be configured
       to offer protection against this bug by allowing users to disable
       scripting for unfamiliar sites. (From the View menu, choose
       Options. Then click the Security tab and select the "Restricted
       web sites" zone. Choose Custom, then under the "Active Scripting"
       option, choose to disable Active Scripting. Users can add any
       unfamiliar sites to this zone and will be protected.)
       Administrators can also use Security Zones to prevent this problem
       from occurring on their intranet.

   Details of the potential problem: The issue could allow a malicious
   person to create a Web page that is intentionally designed to exploit
   this problem to view the contents of a text file, HTML file, or
   graphic image from a user's hard disk. The Web page must be
   specifically designed to obtain certain files&#151;to the level of
   knowing and including the exact filename and location&#151;and that
   file must be an HTML, text, or image file. Even if those conditions
   are met, the site cannot destroy or tamper with any data. Again, data
   cannot be obtained from any files other than text, image, or HTML.


References

  15. file://localhost/msdownload/ieplatform/ie4patch/ie4patch.htm
  16. http://www.jabadoo.de/
home help back first fref pref prev next nref lref last post