Skip to comments.IE security hole leads to cookie jar (Get A Mac!)
Posted on 11/09/2001 10:40:49 AM PST by toupsie
IE security hole leads to cookie jar
By Stefanie Olsen
Staff Writer, CNET News.com
November 9, 2001, 11:05 a.m. PT
Microsoft has warned that versions of Internet Explorer can expose consumers' personal data contained within cookies.
The vulnerability exists within IE 5.5 and 6.0, but earlier browser editions "may or may not be affected," according to a security bulletin posted to Microsoft's Web site Thursday. The security flaw allows an outsider to break into cookies--tiny electronic files used by Web sites to file account information or personalize pages--through a specially crafted Web page or e-mail. A person could then steal or alter data from Web accounts, including credit card numbers, usernames and passwords.
"A malicious Web site with a malformed URL could read the contents of a user's cookie, which might contain personal information," according to the Redmond, Wash.-based company. "In addition, it is possible to alter the contents of the cookie. This URL could be hosted on a Web page or contained in an HTML e-mail."
The vulnerability comes only a week after security flaws were found in Microsoft's Passport authentication system, causing the software maker to remove the service from the Internet. The privacy breach in the Passport service, which keeps track of data used by e-commerce sites, potentially exposed the financial data of thousands of consumers, undermining the company's recent efforts to convince people that it is serious about security.
"I couldn't believe how easy it is," Smith said. "The danger here is that once you get somebody's cookie information for a particular Web site, you can get access to that account, whether it's private financial information or travel records."
Microsoft, which labeled the security problem "high" risk, said it is working on a patch. Meanwhile, the company is urging IE users to disable active scripting in the their browser settings. In addition, consumers using Outlook Express should set their preferences within the mail program to allow only "Restricted Sites" to load, according to the company.
To disable active scripting in IE, open the Tools menu in the browser, followed by Internet Options and then the tab for Security. Next, open the Custom Level option; in the Settings box, scroll down to the Scripting section. Click Disable under "Active scripting" and "Scripting of Java applets." Click OK, and then click OK again.
John (running Mandrake Linux 8.1)
Perhaps, real problem
Is, why cookies we must use,
Not choice of OS....
On a side note, Mandrake 8.1 has an awesome graphical installer, I played around with it about a month ago. Its almost as nice as the Mac OS X graphic installer :).
1. a mac is twice the cost of a comparable pc. you pay (and pay and pay everytime you buy a new mac peripheral).
2. hackers don't bother to look for bugs in mac software because nobody (less than 10% of pc users) uses macs. if macs became popular, you'd have monthly reports of mac bugs, too. (well, maybe only half as many but reports but you'd still see bunches of mac bug reports.)
no hacker cares about finding new mac bugs! that's why there are no mac bug reports.
In response to Bill's comments, General Motors should have issued a press release stating: "If GM had developed technology like Microsoft, we would all be driving cars with the following characteristics:
1. For no reason whatsoever, your car would crash twice a day.
2. Every time they repainted the lines in the road, you would have to buy a new car.
3. Occasionally your car would die on the freeway for no reason. You would have to pull over to the side of the road, close all of the car windows, shut it off, restart it, and reopen the windows before you could continue. For some reason you would simply accept this.
4. Occasionally, executing a maneuver such as a left turn would cause your car to shut down and refuse to restart, in which case you would have to reinstall the engine.
5. Only one person at a time could use the car unless you bought "CarNT," but then you would have to buy more seats
6. Macintosh would make a car that was powered by the sun, was reliable, five times as fast and twice as easy to drive- but would only run on five percent of the roads.
7. The oil, water temperature, and alternator warning lights would all be replaced by a single "General Protection Fault" warning light.
8. New seats would force everyone to have the same sized butt.
9. The airbag system would ask "are you SURE?" before deploying.
10. Occasionally, for no ! ! reason whatsoever, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key and grabbed hold of the radio antenna.
11. GM would require all car buyers to also purchase a deluxe set of Rand McNally Road maps (now a GM subsidiary), even though they neither need nor want them. Attempting to delete this option would immediately cause the car's performance to diminish by 50% or more. Moreover, GM would become a target for investigation by the Justice Dept.
12. Every time GM introduced a new car, car buyers would have to learn to drive all over again because none of the controls would operate in the same manner as the old car.
13. You'd have to press the "Start" button to turn the engine off
I personally don't use any Microsoft stuff, thankfully. Not that I have the option...since I run Linux on all my machines. :-)
OK...it's true that Macs are more expensive, but this part hasn't been true for some time. All modern Macs are PCI-based (as all most modern Suns; even the E10K has PCI slots in addition to SBus).
Apple must be lagging in sales, these "flaws" are getting more and more silly, lol.
As for hackers. Hackers don't care about the OS. They care about taking over computers so they can use them for nefarious purposes. By your logic, hackers would not go after Solaris (Sun) or Tru64 (DEC Alpha) or OS/400 (IBM) but they do. If Macs were cars, they would have a larger market share than Chrysler. Most computer companies would drool themselves dry if they sold as many computers a year as Apple not to mention that Apple is the only CPU manufacturer that is making a profit in these tough economic times. The reason that hackers go after Microsoft products is due to their poor design. Why beat your head against the wall hacking a UNIX/BSD based Operating System like Mac OS X which is rock solid when Microsoft makes it so easy to gain access to root of the OS over a network connection.
But the best thing about Mac OS X is you don't have to buy anti-virus software, firewalls, access control software and disk repair utils. As a bonus, you are never posting Virus/Worm alerts on Free Republic.
If you have never used a Mac or don't understand the Mac Operating Systems, I would hold your tongue. Mac users love to laugh at the misconceptions that Windows (L)users have about our equipment.
On a side note, Apple actually made its own distro of Linux in the mid-90s called MkLinux. It was a test bed for the mach kernel that is used in Mac OS X.
Cheers, CC :)
Well you most certainly are not a genius because you don't have a clue how a Macintosh works. The Mac I am using right now has 6 mouse buttons on my trackball that's 4 more buttons than a standard PC mouse. So if the number of mouse buttons makes an OS better by your logic, PCs really suck. Plus on my Mac, all I have to do to change text to BOLD is select the text and say "Bold". The built in Speech Input system in a Macintosh is amazing. I can almost voice control the entire operating system and applications. That isn't some add on but something that is built into the Operating System.
There's competition! Why not try Opera?
As for security risks, it is foolish to point fingers at other platforms too much.
Security requires further vigilance than relying on your computer maker to keep the bad guys out.
Up till now we in the Mac community have been "lucky" that our systems and AppleTalk networking
were not prevalent among hackers.
That has drastically changed with the freeBSD underpinnings in our OS.
From known problems in the 'NIX community with Apache and Perl/cgi to new issues with Apple's
implementation of iDisk we need to stop pointing fingers and start rooting out our own problems.
iMacs come with ONE button...in fact, I think all of them come with ONE button. Stupid design. Most techs I know agree wholeheartedly.
Yep, these are the 4% who probably SHOULD be using Macs.
An expensive and unnecessary move imo. I got a linux virtual root trojan via a Windows '98 HD while booted in Windows. Some viruses are made to load vai Windows and attack linux and vice-versa since they can pass unrecognized thru each OS's virus scanner.
My solution was to dump '98; write 0s to the linux HD; reload Mandrake 8.1 and put XPpro (fat32) on the zeroed-out Windows drive and reload my database. Worked like a charm. The name of the virus was CodeRed.C. It's an NT4-based virus. It has 3 NT4 payloads and uses the 2000 Server exploit simply for transmission.
The NT5 OSs are nice though. However, you can pay $400 for XPpro's protected memory and file system or get the same for free using Mandrake 8.1 with JFS:Reiser partitioning.
And there's your problem. Macs are not designed for techs, they are designed for normal people. You and I have no trouble with 5-button mice and scroll wheels, but not everyone is as comfortable with computers. Macs are designed to be completely usable with one button, while taking advantage of extra buttons if available, which seems like a good decision to me. I do agree that the "professional" Mac models (G4 towers) should ship with a multi-button mouse, but it's a minor quibble.
Do any of these "techs" actually know how a Macintosh operates or are they the typical tech that only supports what their $5,000 MSCE course taught them? And what is a tech? Someone that works for me, an Administrator. If you are focused on the number of buttons on your mouse, it sounds like a personal problem. The fewer number input devices required to run a computer is better not more. A computer is supposed to reduce work load not increase confusion.
Have you tried out ext3? I am having fun with my backup database server pushing a high load on it and pulling the power plug on it to see it recover without skipping a beat. I have to try out JFS:Reiser.
I would have to disagree. Mac OS X is perfect for "Techs". The power of BSD/UNIX with the ease and speed of Mac. DROOL!!!
I tried to break JFS:Reiser on Mandrake 8.1beta2 and succeeded on the second attempt. The reworked JFS:Reiser for 8.1final survived 3 attempts so I'm using that now (along with XPpro on another channel). They're both great imo but Linux's security is (of course) better since it's not shell based.
If OS X is programmable, and I wanted to get it, what is the best system to go for? Is it upgradeable/tweakable?
Can you post links to some info and impartial reviews?
Mac OS X is fantastic for programmers. You have a full Unix underneath the UI, and Apple's developer tools are free; they come with the OS X retail package and you can download them from the web. The Cocoa API is the best I've seen on any system. Apple is definitely encouraging third party developers much more than they have in the past.
Well, that is a change! Thanks, guess I'll have to read up on it and look into maybe purchasing. One can never have too many computers, can one?
Outside of REALbasic, Cocoa is the fastest development system I have used. I am moving over a lot of the systems I wrote for Tru64 (I am a closet DEC Alpha fan) over to Mac OS X because of Cocoa. Easy as pie!
Get real. Ever heard of netscape? Linux?
The consumer version of Mac OS X does not come with any virus protection software.
It does come with the same firewall that is intalled with any freeBSD distribution.
It is not set up by default and must be configured via the command line or a third party utility.
The firewall is not strictly an Apple product though (no monopoly there).
I do believe that Microsoft should be as free as Apple or any other company to legally engage in business
the way they see fit.
Apple would do fine along side an unrestrained Microsoft.
My company, almost 18 years old now, uses Macs because we get more work work done in a day than we could with PCs. And that is for me, the end of the story.
I searched Wired for that, but couldn't find it. PLEASE tell me you have a link to it. Thanks.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.