Don't Hit That Back Button

Saint Aardvark writes: "From the Bugtraq mailing list comes this warning: 'Using the Back Button in IE is dangerous'. When hitting the back button, javascript links will be executed in the security zone of the last url viewed. Proof-of-concept included in the warning will execute minesweeper or read your Google cookies."

Go Mozilla!

With every passing week, MS gives us more and more reasons not to use their POS browser. Whereas Mozilla is quickly becoming the undisputed king; tabbed browsing, filtering popups, better security options, and .. oh yeah, it's open source.

Take that, Microsoft. ;-)

Re:Go Mozilla!

Well I guess it's because the topic is "Another IE exploit", and the post is not about an IE exploit, it just says "Mozilla is faster than IE".

So...

[NetRanger]

...

Sheesh, what really needs to be said here? Internet Explorer is full of more bugs than a $19.95 roadside motel. I can't wait for the explaination for this one out of Monopolis (AKA Redmond, WA).

Java's been crashing IE of late

[blair1q]

So it may not matter.

http://arizona.diamondbacks.mlb.com crashes both IE6 and IE5.

I don't know why. Could be the address it crashes at has a hardware problem on my machine. But why is java poking around my hardware?

Java is insecure, Windows is insecure, the Internet is insecure, and everyone using them has always known that.

--Blair

Re:Java's been crashing IE of late

[evil_one]

My roommate had IE crash on any site that used Javascript. Then I removed the spyware from his computer. Wow... what a difference.

This catch anyone's eye?

[Omerna]

"Microsoft contacted 12 Nov 2001, additional information given 25 Mar 2002."

That's pretty long time (5-6 months, too lazy to figure out the actual number of days etc.) that Microsoft has done nothing (at least not a fix). Especially because this overlaps the time when they decided to make their people go to security workshops (or some such). If they can't even fix a known, reported bug in the security how can they find them on their own and fix them? Or not write them in the future?

Oh yeah, it'd be nice to know if I can get around this by doing "right-click" / "back" or if that is affected and not JUST the toolbar.

Re:This catch anyone's eye?

[ukryule]

"Microsoft contacted 12 Nov 2001, additional information given 25 Mar 2002."

Well that links in well with the memo Bill Gates sent on January 15th. What was it he said?

"We have done a great job of having teams work around the clock to deliver security fixes for any problems that arise. Our responsiveness has been unmatched ..."
Hmm - that was before the new emphasis on security ...
"If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first."

Given those comments, how can they not have done anything about this? Doesn't sound like a fundamental problem that would take a massive effort to fix.

Go Mozilla Anyways!

[KagatoLNX]

Bench the latest Mozilla build (turn off debugging and turn on optimization, just like a normal release build) and post that again. Of course, to really shine, run it on Linux or a free BSD.

Seriously, it's fast and its implementation of little things like CSS (which as far as I'm concerned is the future of online content) is light years ahead if IE anyways.

Then again, you might be interested to know that as of IE 5.5, IE was backported from the Macintosh version. That's right, the MS-IE-Mac-port team did it so much better that they backported it to Windows. That's where the speed and decent standards support came from!

I think that this goes to show that Microsoft doesn't re-write something from scratch on purpose. They had to force their Mac team to basically do so (because, like, it's IE not on Windows, you have to redo a bunch of stuff) before they figured out that they needed to reimplement. The sad thing is that they don't seem to be willing to do it where it counts, no matter how "security focused they become" they don't ever figure out that it's impossible to effectively rewrite Windows "a piece at a time".

Re:Using Linux considered harmful

[Corporate+Drone]

No, you mean:

A: Didn't you RTFM? Everybody knows that you have to configure the system correctly and intelligently in order to keep people out of it! Why don't you go to Windows, where the default install is the only one they expect people to execute?

Re:hm

[jspaleta]

" I still can't figure out why people are using IE, seriously."

1)Bundled....people are sheep.
2)Bundled.....a lot of people dont have the band or the patience to do a lot of downloading (AOL users on dialup)
3)Bundled...on a corporate win2k desktop where the user just logins in and cant really install much in the way of software...see 1) s/pc support personal/people

-jef

yearning for the past

[Faust7]

When I spent hours in labs browsing with Netscape 2.0...

When a webpage wasn't something you had to figure out how to escape...

When 'Back' meant back...

When there was just smooth uninterrupted navigation, and no pop-ups or banners...

When people could say pretty much say anything anywhere, no DMCA...

... remember that?

Re:My company's solution to IE

[MADCOWbeserk]

Somehow I doubt this story. I have seen Netscape 4.X mandated, but Netscape itself had several security issues itself (brown oriface) Back in 1999 Mozilla sucked. It is only in th .9X braches that Mozilla/Netscape 6.X became usable. Whose environment offers a choice between Konq. Lynx Ie. and Mozilla, wondering where he sampled IE/Linux, Lynx and Konq/Win32. Finally, any self respecting company should have had their mail server configured to throw out those messages as junk.

Frankly I love Mozilla, (especially with the Pinball theme). It has a great interface, and has become quite stable. However from a security standpoint it is still up in the air as to how secure it will be.

Mozilla has a bright future. I would like to see it replace explorer as well IE. It would really screw Microsoft to lose the UI along with the browser.

Is there a real exploit here?

[Chuck+Chunder]

Even if an executable were encoded in the link would the end user not be simply warned that they are attempting to download an executable, as with any other URL that served them an executable?

It's only a security hole if delivering the content via the data URL is treated differently than getting it via an http, ftp or javascript one.

Trolling, or just blind stupid?

First off, had you bothered to do any research, RFC 2397 defines the data: URL scheme--this isn't some Mozilla debug thing, as you foolishly asserted. Second, you haven't actually demonstrated how this behaves differently from a normal URL. If you click http://this.is.a.url/ and the document at the end has a meta refresh to goatse.cx, how is that different from a data: URL (other than the data:URL being easier to spot)? Same deal with a shell script or .exe; it won't autorun any more than if you clicked on a link and got in through HTTP.

I'm not sure whether you actually believe you've found a vulnerability, or are just trolling for Konqueror; either way, it illustrates the weakness of /. moderation in succumbing to a good line of BS.

Re:On a (somewhat) related topic...

[rjamestaylor]

learn the user interface of your development platform, adhere to its principles even at the risk of causing you, the developer, more work and you'll have much happier users.

Re:On a (somewhat) related topic...

[jesser]

Hotmail does not have this problem. Netscape webmail does not have this problem. It's a bug in your code, and I bet you would have saved time by fixing it rather than trying to "teach" your users how to work around it.

Re:A complete list

[maxpublic]

I think it might qualify as a "dumb ass bug" because despite having been informed of the problem last November MS failed to fix the exploit - even after their two-month 'security review'.

So the bug went from 'subtle' in November to 'dumb ass' today because the lackwits in Redmond completely ignored it - hence the label. As in, "only a dumb ass would ignore this bug".

Max

The problem is: it's a designflaw.

[Otis_INF]

Buffer overflows... these are implementation-specific bugs and should be easily patchable. However, MS put a lot of functionality into IE (for the most part because it's bundled) and when you look at the separate parts of all this functionality, you don't see exploitable stuff. However, combining parts of the functionality CAN LEAD to a situation that wasn't forseen, and perhaps will lead to a vulnerability.

It's easy to say "Crap!" but it takes a wicked mind to combine the right parts of the functionality of a program to create a hole, a mindset which is obviously not present under the IE designers. (but which should be though).

As a true microsoftie I more and more begin to realize that the bundling should be undone, so the set of functionality build into the webbrowser is simply focussed on what it should do: rendering pages.

Using another browser is not the answer however. The only browser that comes close to IE6 is Netscape/Mozilla, however these browsers are also packed with features you'll probably never need but CAN probably be used to create a hole when combined with other functionality in the program.

Re:The problem is: it's a designflaw.

VisualStudio.NET bombs the Linux developer right back to the stone age.

LOL. You'd like to think that wouldn't you? I used to be a Microsoftie too, until I got a job supporting Unix boxes with dumb terminals mixed with NT servers with Windows clients. Take a wild guess as to which causes 95% of the problems while doing (maybe) 30% of the productive work?

Actually working with Windows in a production environment has made me come to hate it. And to love my simple and reliable Unix boxen.

Re:One reason I love Opera

Gotta love the mouse movement commands, too. Great program.