SCN: MSIE bug

[Steve]

x-no-archive: yes

=======================

(Brian Livingston, InfoWorld)---A flaw that's been newly discovered 
in Microsoft's Internet Explorer 4 and 5 allows almost any Web site 
you visit to read all the files on your hard disk. And, because recent 
versions of Outlook and Outlook Express use IE's code base to 
display complex e-mail messages, even an e-mail you receive can 
read all about you. No attachment is required.  

This new problem was found by Georgi Guninski, who's made 
something of a sport of exposing Microsoft weaknesses.  

Guninski has even created a Web page that demonstrates the 
problem. It merrily lists all the file names in the root of your C: drive.

But don't go to this Web site until you use Microsoft's patch (see 
below) or take the following steps to prevent other Web sites from 
viewing your files.  

My thanks go to Steve Fallin of WatchGuard Technologies 
(www.watchguard.com) for his work-around:  

Step 1. In Internet Explorer, pull down the Tools menu, and then click 
Internet Options.  

Step 2. Click the Security tab.  

Step 3. Select the Internet icon, and then click Custom Level.  

Step 4. Scroll down to Microsoft VM/Java Permissions, and then 
click Custom.  

Step 5. Click the Java Permissions Settings button.  

Step 6. Click the Edit Permissions tab.  

Step 7. Change the radio button under Run Unsigned Content to 
Disable. Change Signed Content to Prompt.  

Step 8. Click the Reset button.  

Step 9. Click OK or Yes all the way out to save your changes.  

These steps will disable Java applets and plug-ins from "unsigned" 
(anonymous) Web sources. If the creator has "signed" the applet, 
you will see a prompt asking you to accept (if you really trust the 
source) or reject.  

If you've made the changes outlined above, you're ready to visit 
Guninski's site and see how easily a mere Web page or e-mail can 
read your entire hard drive. Go to www.guninski.com/javacodebase1-
desc.html . This text page links to the actual demonstration.  

In my tests, I found that once a machine has run Guninski's demo, 
the exploit still works later, even after you apply the work-around.  

However, if the change is made before a machine visits Guninski's 
site, his demo cannot automatically have its way.  

Instead, you are presented with the prompt I mentioned earlier: "Do 
you want to allow software such as ActiveX controls and plug-ins to 
run?" If in doubt, you should answer No to this question.  

In Guninski's case, it's safe to click Yes to see for yourself how a 
Web site or e-mail can read your entire hard drive.  

WatchGuard's Fallin says his company's firewall products can stop 
Java applets if you configure the hardware that way. "But we can't 
require one policy that works in all situations," he says. Instead, he 
says companies must judge for themselves "the trade-off between 
usability and security."  

For information and Microsoft's patch, go to 
www.microsoft.com/technet/security/bulletin/fq00-081.asp

Copyright 2000 InfoWorld Media Group, Inc.





* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *