Slashdot Mirror
Microsoft Microsoft Microsoft
Your day wouldn't be complete without Microsoft news. Ralph Nader has written an open letter to Judge Kollar-Kotelly. Seems he has a few bones to pick with the settlement. MSNBC is running a WSJ article detailing how Microsoft beat down the DOJ in settlement negotiations. Even Israel knows Microsoft is a monopoly. Microsoft reveals its keep-them-in-the-dark plan for Microsoft security vulnerabilities. Amazingly, some security firms seem to be willing to go along with it. I guess they figure setting up a sort of cartel for security flaws is in their best financial interest. SANS is keeping their list of top security vulnerabilities up to date with the latest IIS exploits. And finally, MS wishes their new disclosure rules were used for yet another huge hole in Windows. Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days". As usual, switch off active scripting, even though that will make essentially every webpage that's designed for IE not work.
It's a feature.
Could I get a list of all the new security flaw in Linux? Thanks.
Oh wait, this is Slashdot.
I guess you didn't get the talking points that day.
But I thought that Internet Exploder was an integral part of the OS, at least according to M$. Therefore, this *IS* a Windows problem, based on M$'s own "logic".
The unsig!
On their page describing the security hole with active scripting, you need to have active scripting enabled to read the text that is hidden unless the "+" icon is clicked.
---Technology will liberate us if it doesn't enslave us first.
Ummmm...didn't Microsoft spend 5 years explaining to various judges that IE is an integral part of Windows? Doesn't every installation of Windows contain a copy of Internet Explorer? Come on, now, don't be disingenuous about this. Whether it's a good thing or not, IE most certainly is a part of Windows.
And what the hell bias does it "let slip?" Even if it was wrong, it wouldn't be bias, just ignorance. I can't imagine how confusing Windows and IE is more subtle bias than the big old picture of Bill Gates-as-Borg is. Sheesh. Get over yourself.
If it ain't broke, you need more software.
Cookie Data in IE Can Be Exposed or Altered Through Script Injection
t ernet Settings\Zones
t ernet Settings\Zones
Originally posted: November 08, 2001
Summary
Who should read this bulletin: Customers using Microsoft® Internet Explorer
Impact of vulnerability: Exposure and altering of data in cookies.
Maximum Severity Rating: High
Recommendation: Customers should consider disabling active scripting in the
Internet Zone and the Intranet Zone. Customers using Outlook Express who have
not set OE to use the "Restricted Sites" Zone should do so as a best practice.
Affected Software:
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Technical details
Technical description:
Web sites use cookies as a way to store information on a user's local system. Most
often, this information is used for customizing and retaining a site's setting for a
user across multiple sessions. By design each site should maintain its own cookies
on a user's machine and be able to access only those cookies.
A vulnerability exists because it is possible to craft a URL that can allow sites to
gain unauthorized access to user's cookies and potentially modify the values
contained in them. Because some web sites store sensitive information in a user's
cookies, it is also possible that personal information could be exposed.
Microsoft is preparing a patch for this issue, but in the meantime customers can
protect their systems by disabling active scripting. (The FAQ provides step-by-step
instructions for doing this). This will protect against both the web-hosted and the
mail-borne variants discussed above. When the patch is complete, Microsoft will
re-release this bulletin and provide details on obtaining and using it.
Mitigating factors:
A user must first be enticed to a malicious web site or to open an HTML e-mail containing the malformed
URL.
Users who have applied the Outlook Email Security Update are not affected by the HTML mail exploit of
this vulnerability.
Users who have set Outlook Express to use the "Restricted Sites" Zone are not affected by the HTML mail
exploit of this vulnerability because the "Restricted Sites" zone sets Active Scripting to disabled. Note that
this is the default setting for Outlook Express 6.0. Users of Outlook Express 6.0 should verify that Active
Scripting is still disabled in the Restricted Sites Zone.
Severity Rating:
Internet Servers
Intranet Servers
Client Systems
Internet Explorer 5.5
High
High
High
Internet Explorer 6.0
High
High
High
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment
patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2001-0722
Tested Versions:
Microsoft tested Internet Explorer 5.5 SP2 and 6.0 to assess whether they are
affected by these vulnerabilities. Previous versions are no longer supported, and
may or may not be affected by these vulnerabilities.
Frequently asked questions
Why isn't there a patch available for this issue?
The person who discovered this vulnerability has chosen to handle it irresponsibly,
and has deliberately made this issue public only a few days after reporting it to
Microsoft. It is simply not possible to build, test and release a patch within this
timeframe and still meet reasonable quality standards.
What's the scope of this vulnerability?
A malicious web site with a malformed URL could read the contents of a user's
cookie which might contain personal information. In addition, it is possible to alter
the contents of the cookie. This URL could be hosted on a web page or contained in
an HTML email.
What causes the vulnerability?
The vulnerability results because of an unsafe handling of cookies across IE zones.
How would an attacker carry out an attack using this vulnerability?
An attacker could attempt to maliciously exploit this vulnerability by hosting a page
with a maliciously crafted URL. They could also send the victim an HTML email with
a similarly crafted URL.
In the case where the attacker hosted a web page, would he have any way to
compel me to visit the site?
The attacker could not force you to visit his site. Instead, he would need to entice
you into performing some action that would cause you to visit the site. There are,
however, a variety of actions that could be used to do this, from visiting a web site
that would redirect you to the attacker's, to opening an HTML e-mail that
referenced the attacker's site.
In the case where the attacker sent me an HTML e-mail, would simply opening
the mail allow me to be attacked?
Yes. It is possible for an attacker to craft an HTML email in such a way that it
would exploit this vulnerability on opening the mail.
Why does changing my IE settings help protect me against a mail-borne
attack?
As we mentioned above, HTML e-mails are just web pages sent via e-mail. Outlook
uses the IE security architecture to limit what HTML e-mails can do when opened.
By default, Outlook 2002 opens all HTML e-mails in the Restricted Sites Zone.
Is this a permanent change?
No. Microsoft is working to develop a patch that will eliminate the vulnerability.
When it's completed, you'll be able to install the patch and then return your IE
settings to their previous values.
How likely is it that I could be affected by this vulnerability?
It depends on your web browsing and e-mail habits. Customers who exercise care
in choosing the sites they visit, and who are careful not to open obvious spam and
other untrustworthy e-mails would be at less risk from this vulnerability. However,
customers can easily make a configuration change that will provide complete
protection.
What's the configuration change that will protects against this vulnerability?
Customers who are concerned about this vulnerability should disable active
scripting. All web pages (and HTML e-mails, which are just web pages delivered via
e-mail) are categorized into one of several zones, and the settings in each zone
dictate what actions can be taken within it. By disabling active scripting in the
Internet zone a user can prevent an attacker from exploiting either the web-borne
or mail-borne versions of this attack.
How do I disable active scripting in Internet Explorer 5.5 and 6.0?
On the Tools menu, click Internet Options, click the Security tab, and then click Custom Level.
In the Settings box, scroll down to the Scripting section, and click Disable under "Active scripting" and
"Scripting of Java applets".
Click OK, and then click OK again.
I am a network administrator. How can I disable active scripting in my
enterprise?
With new deployments of Internet Explorer, an administrator would use the IEAK and disable active
scripting before building the package and rolling it out to client machines.
For currently deployed client use Profile Manager to create an auto-config INS file to make registry changes
needed to disable active scripting on the client machines with Internet Explorer already installed.
For administrators that prefer to use SMS or login scripts, the following are the registry changes that would
disable active scripting on the client machine:
HKLM\Software\Microsoft\Windows\CurrentVersion\In
HKCU\Software\Microsoft\Windows\CurrentVersion\In
There are five different sub keys under each "Zones" key. Each key control a
different security zone. The key names are 0-4.
= Your computer
1 = Local Intranet
2 = Trusted Sites
3 = Internet
4 = Restricted Sites
There is then a DWORD value under each zone number key that must be modified to disable active-scripting
for each zone.
REG_DWORD value is "1400" to be modified.
Setting this value to "3" (from "0") will disable active scripting.
HKCU setting changes take effect immediately. However the HKLM settings
would most likely require a reboot.
Patch availability
Download locations for this patch A patch will be posted as soon as it is available.
Additional information about this patch
Installation platforms:
This patch can be installed on systems running Internet Explorer 5.5 and 6.0 when available.
Obtaining other security patches:
Patches for other security issues are available from the following
locations:
Security patches are available from the Microsoft Download Center, and can be most easily
found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
All patches available via WindowsUpdate also are available in a redistributable form from the
WindowsUpdate Corporate site.
Other information:
Support:
Technical support is available from Microsoft Product Support Services. There is no charge for
support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages,
even if Microsoft Corporation or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
V1.0 (November 08, 2001): Bulletin Created.
As usual, switch off active scripting, even though that will make essentially every webpage that's designed for IE not work.
Well duh! If you're creating webpages just for IE you get what you deserve. There are standards out there and if you use them you will be fine. If you don't use them you only have yourself to blame.
I've stopped blaming Microsoft and starting blaming these webmaster who ought to know better.
A Government Is a Body of People, Usually Notably Ungoverned