Slashdot Mirror

← Back to Stories (view on slashdot.org)

Don't Hit That Back Button

Posted by ryuzaki0 on from the burn-your-bridges dept.

Saint Aardvark writes: "From the Bugtraq mailing list comes this warning: 'Using the Back Button in IE is dangerous'. When hitting the back button, javascript links will be executed in the security zone of the last url viewed. Proof-of-concept included in the warning will execute minesweeper or read your Google cookies."

15 of 640 comments (clear)

  1. On a (somewhat) related topic... by webword · · Score: 4, Interesting

    Attack of the Back Button -- "Getting stuck on a web page can be painful. The back button doesn't always work. While there are many ways to escape from web pages, many users don't know the tricks. A company can stop hurting users by doing more testing, using proper development methods, and being aware of the issue."

    --
    How to Download YouTube Videos
    1. Re:On a (somewhat) related topic... by Skweetis · · Score: 3, Interesting

      Actually, it may not be a bug. His webmail program may use POST instead of GET to pass data between screens. This is more secure than using GET (remember the Hotmail bug where you could read anyone else's mail by figuring out the URL to it? That was a GET problem.) Most browsers don't handle POST all that well when navigating through cached pages. Although this is really a browser issue, you are correct in that he could probably adjust his webmail to compensate if he is clever.

  2. caught as a virus by Anonymous Coward · · Score: 1, Interesting

    Interestingly enough, McAfee caught it and labled it a .vir right after I doubled clicked on the test html....

  3. How far can you exploit this? by Agelmar · · Score: 3, Interesting

    Would a vulnerability still exist if a user wrote a page that redirected the browser to some page with malicious code in the target, and then, with a little bit of javascript set the location to javascript:history.back() (i.e. on mouse movement or whatever). Would this cause the javascript to run under the improper security settings, or does the user actually have to hit the "back" button?

  4. My company's solution to IE by Ali+Jenab · · Score: 4, Interesting
    It's been almost five years since Microsoft released their first acknowledgement of a security vulnerability in Internet Exploder. I remember the day that happened clearly; if only I had the foresight at the time to see that the same exact scene would play out, on the average, once every two weeks for the next five years. I could have avoided disaster for my company.

    Back in 1999, when the dot-coms were flying high and my company resembled an Internet startup (although we had been in business since 1992), we hastily set up new offices and cubicles with little regard for information security. After all, what was the worst that could happen - an email worm? Well, we quickly found out: a malicious hacker had targeted our company, and sent an email to "all @" my domain containing a link to a supposed Yahoo News story. Unfortunately, this link sent the employees to a malicious site that caused their insecure IE browsers to yield control of nearly every Windows PC in the company to the intruder. They stole and destroyed much important data, and took over a week of nonstop unpaid overtime to fix things.

    A few weeks after the incident, our vice president of operations mandated a Mozilla-only policy. Employees were forbidden from running IE, Lynx (another notoriously insecure browser), and Konqueror (which crashed constantly anyway). Since that time, we have had zero browser related security issues, and employees waste far less time surfing the web, mainly because a lot of time-wasting sites only work in Microsoft standards-compliant browsers. Converting to Mozilla has been a win-win situation, and I fully expect the same to be happening across America after this latest IE security breach. Enough is enough; we need to take back control of our networks.

    /ali

  5. yay for NAI by diesel_jackass · · Score: 4, Interesting

    http://diesel.2y.net/mine.htm

    my McAfee VirusScan already checks for this bug.

    --
    THERE IS NO DATA. THERE IS O
  6. Re:Test it out if you have IE by Anonymous Coward · · Score: 1, Interesting

    PopUp Stopper seems to have prevented MineSweeper from loading. Exploit works if I turn PopUp Stopper off.

    XP Pro, IE6

  7. Used to be in Mozilla by jesser · · Score: 4, Interesting

    I found the same bug in Mozilla last summer while I was working at Netscape. My boss fixed it within a week, so versions after Mozilla 0.9.3 did not have the bug. It was bug 88167 if you're interested. I'm not sure why I didn't notice that IE was vulnerable as well. Anyone want to go through old Mozilla security holes and see how many of them affect IE 6?

    Anyway, keep using that Back button. If you're using IE to browse warez/porn, you have more to worry about than someone looking at your cookie for another site. An attacker could just copy the IE exploit of the week from
    http://jscript.dk/unpatched/. I believe that page has had current IE security holes that allow running arbitrary instructions for two months straight. (That means you can keep up with the latest IE patches, but if an attacker reads jscript.dk and can get you to click a link in AIM or read a message in OE, the attacker wins.)

    By the way, what's with IE turning every cross-domain hole into a full remote compromise by letting sites link to res: urls? Current versions of Mozilla block links to chrome/res and even file, so a cross-domain hole doesn't even let sites read local files.

    --
    The shareholder is always right.
  8. Re:Test it out if you have IE by Waffle+Iron · · Score: 3, Interesting
    by the way, the 'please close all aplications and restart your computer' error window really cracks me up when the app was run under wine in the first place.

    That's what I love about using Win4Lin:

    "Windows needs to restart in order to complete your request to change the default window frame color. Press OK to restart."

    I press OK, and Win98 "reboots" in 7 seconds flat.

  9. Omniweb --- Semi-Related by Amiasian · · Score: 3, Interesting

    I'm not sure about the other (commercial or open source) browsers. However, I use a Mac OS X Cocoa broswer, called Omniweb [http://www.omnigroup.com/products/omniweb/]. It has a feature where the user can stop loading individual parts of a page. For instance, say you're loading a page with 60 images. Normally, you'd click the stop or back button in a browser. In Omniweb, the text would still load - but you could stop loading some of the larger images.

  10. Re:Go Mozilla Anyways! by KagatoLNX · · Score: 2, Interesting

    Mmmmmmmm. I can't find the pages anymore. I found that tidbit in a link off of an old topic on /. (remember when MS was about to release 5.5 with little to no CSS1 and DOM support and the W3C raised hell?). I can't seem to find it anymore. After more thinking, I think it was just the rendering engine, and they may have slid it in a Service Pack (SP1?).

    You can find a few articles around the web about IE 5.5 for Mac doing it right, but I can't find the explicit reference to the codebase being ported.

    Well, there are 3 options:
    1) I'm wrong (very possible)
    2) I heard it on the Internet so it must be true (see #1)
    3) The Microsoft Censorship Conspiracy (possible, but paranoid)
    4) It really happened that way.

    Pick the one you like, but that's what my memory recalls.

    --
    I think Mauve has the most RAM. --PHB (Dilbert Comic)
  11. Re:Go Mozilla! by moonbender · · Score: 2, Interesting

    Tune your settings (prefs - history and cache) a bit to reduce resource useage. I've seen it work fine on computers with 32 MB RAM, way, way faster than either IE or NN, so it doesn't really need all those resources it takes, though of course they don't hurt.
    Opera isn't really faster anymore than IE when you're viewing only one page at a time. If you're viewing half a dozen or more, IE really sucks while Opera is godlike. Switching between windows is virtually instant.
    Oh and not to mention mouse gestures. I doubt I can ever use a browser without mouse gestures again.
    As for DHTML support, yep, it sucks, but well, DHTML sucks, too. It's rarely used appropriately, much like Flash it's more of a proof of a web designers incompetence and reliance on flashy effects rather than solid content.

    --
    Switch back to Slashdot's D1 system.
  12. Re:Go Mozilla! by Gibbys+Box+of+Trix · · Score: 2, Interesting

    It will have an effect on the stats gathered, but it wouldn't inflate the stats on IE6.0 because it can't identify it'self as IE6.0, only IE5.0.

    Still, it'd be interesting to know what percentage of the MSIE5.0 and Netscape and Others were attributable to Opera.

  13. Worse... by allism · · Score: 2, Interesting

    If you clicked the link to read the article, you can't hit the 'back' button to return to slashdot...

    --
    Denver Isuzu Suzuki
  14. tried it; doesn't work by wazo2k · · Score: 2, Interesting

    I tried it...

    it does work when the page is on my hard drive,
    but it doesn't work when I upload the page to the internet...

    In other words, what the parent posted runs in the correct security zone, no problem there