SCN: MSIE bug
Steve
steve at advocate.net
Tue Nov 7 14:56:02 PST 2000
x-no-archive: yes
=======================
(Brian Livingston, InfoWorld)---A flaw that's been newly discovered
in Microsoft's Internet Explorer 4 and 5 allows almost any Web site
you visit to read all the files on your hard disk. And, because recent
versions of Outlook and Outlook Express use IE's code base to
display complex e-mail messages, even an e-mail you receive can
read all about you. No attachment is required.
This new problem was found by Georgi Guninski, who's made
something of a sport of exposing Microsoft weaknesses.
Guninski has even created a Web page that demonstrates the
problem. It merrily lists all the file names in the root of your C: drive.
But don't go to this Web site until you use Microsoft's patch (see
below) or take the following steps to prevent other Web sites from
viewing your files.
My thanks go to Steve Fallin of WatchGuard Technologies
(www.watchguard.com) for his work-around:
Step 1. In Internet Explorer, pull down the Tools menu, and then click
Internet Options.
Step 2. Click the Security tab.
Step 3. Select the Internet icon, and then click Custom Level.
Step 4. Scroll down to Microsoft VM/Java Permissions, and then
click Custom.
Step 5. Click the Java Permissions Settings button.
Step 6. Click the Edit Permissions tab.
Step 7. Change the radio button under Run Unsigned Content to
Disable. Change Signed Content to Prompt.
Step 8. Click the Reset button.
Step 9. Click OK or Yes all the way out to save your changes.
These steps will disable Java applets and plug-ins from "unsigned"
(anonymous) Web sources. If the creator has "signed" the applet,
you will see a prompt asking you to accept (if you really trust the
source) or reject.
If you've made the changes outlined above, you're ready to visit
Guninski's site and see how easily a mere Web page or e-mail can
read your entire hard drive. Go to www.guninski.com/javacodebase1-
desc.html . This text page links to the actual demonstration.
In my tests, I found that once a machine has run Guninski's demo,
the exploit still works later, even after you apply the work-around.
However, if the change is made before a machine visits Guninski's
site, his demo cannot automatically have its way.
Instead, you are presented with the prompt I mentioned earlier: "Do
you want to allow software such as ActiveX controls and plug-ins to
run?" If in doubt, you should answer No to this question.
In Guninski's case, it's safe to click Yes to see for yourself how a
Web site or e-mail can read your entire hard drive.
WatchGuard's Fallin says his company's firewall products can stop
Java applets if you configure the hardware that way. "But we can't
require one policy that works in all situations," he says. Instead, he
says companies must judge for themselves "the trade-off between
usability and security."
For information and Microsoft's patch, go to
www.microsoft.com/technet/security/bulletin/fq00-081.asp
Copyright 2000 InfoWorld Media Group, Inc.
* * * * * * * * * * * * * * From the Listowner * * * * * * * * * * * *
. To unsubscribe from this list, send a message to:
majordomo at scn.org In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * * http://www.scn.org/volunteers/scn-l/ * * * * * * *
More information about the scn
mailing list