Posted on 11/09/2001 10:40:49 AM PST by toupsie
IE security hole leads to cookie jar
By Stefanie Olsen
Staff Writer, CNET News.com
November 9, 2001, 11:05 a.m. PT
http://news.cnet.com/news/0-1005-200-7828689.html?tag=prntfr
Microsoft has warned that versions of Internet Explorer can expose consumers' personal data contained within cookies.
The vulnerability exists within IE 5.5 and 6.0, but earlier browser editions "may or may not be affected," according to a security bulletin posted to Microsoft's Web site Thursday. The security flaw allows an outsider to break into cookies--tiny electronic files used by Web sites to file account information or personalize pages--through a specially crafted Web page or e-mail. A person could then steal or alter data from Web accounts, including credit card numbers, usernames and passwords.
"A malicious Web site with a malformed URL could read the contents of a user's cookie, which might contain personal information," according to the Redmond, Wash.-based company. "In addition, it is possible to alter the contents of the cookie. This URL could be hosted on a Web page or contained in an HTML e-mail."
The vulnerability comes only a week after security flaws were found in Microsoft's Passport authentication system, causing the software maker to remove the service from the Internet. The privacy breach in the Passport service, which keeps track of data used by e-commerce sites, potentially exposed the financial data of thousands of consumers, undermining the company's recent efforts to convince people that it is serious about security.
Privacy and security expert Richard Smith verified the IE security flaw by writing a tiny bit of JavaScript to hijack information contained in a cookie.
"I couldn't believe how easy it is," Smith said. "The danger here is that once you get somebody's cookie information for a particular Web site, you can get access to that account, whether it's private financial information or travel records."
Microsoft, which labeled the security problem "high" risk, said it is working on a patch. Meanwhile, the company is urging IE users to disable active scripting in the their browser settings. In addition, consumers using Outlook Express should set their preferences within the mail program to allow only "Restricted Sites" to load, according to the company.
To disable active scripting in IE, open the Tools menu in the browser, followed by Internet Options and then the tab for Security. Next, open the Custom Level option; in the Settings box, scroll down to the Scripting section. Click Disable under "Active scripting" and "Scripting of Java applets." Click OK, and then click OK again.
John (running Mandrake Linux 8.1)
OS Disagree-ku
===========
Perhaps, real problem
Is, why cookies we must use,
Not choice of OS....
On a side note, Mandrake 8.1 has an awesome graphical installer, I played around with it about a month ago. Its almost as nice as the Mac OS X graphic installer :).
LOL
1. a mac is twice the cost of a comparable pc. you pay (and pay and pay everytime you buy a new mac peripheral).
2. hackers don't bother to look for bugs in mac software because nobody (less than 10% of pc users) uses macs. if macs became popular, you'd have monthly reports of mac bugs, too. (well, maybe only half as many but reports but you'd still see bunches of mac bug reports.)
no hacker cares about finding new mac bugs! that's why there are no mac bug reports.
In response to Bill's comments, General Motors should have issued a press release stating: "If GM had developed technology like Microsoft, we would all be driving cars with the following characteristics:
1. For no reason whatsoever, your car would crash twice a day.
2. Every time they repainted the lines in the road, you would have to buy a new car.
3. Occasionally your car would die on the freeway for no reason. You would have to pull over to the side of the road, close all of the car windows, shut it off, restart it, and reopen the windows before you could continue. For some reason you would simply accept this.
4. Occasionally, executing a maneuver such as a left turn would cause your car to shut down and refuse to restart, in which case you would have to reinstall the engine.
5. Only one person at a time could use the car unless you bought "CarNT," but then you would have to buy more seats
6. Macintosh would make a car that was powered by the sun, was reliable, five times as fast and twice as easy to drive- but would only run on five percent of the roads.
7. The oil, water temperature, and alternator warning lights would all be replaced by a single "General Protection Fault" warning light.
8. New seats would force everyone to have the same sized butt.
9. The airbag system would ask "are you SURE?" before deploying.
10. Occasionally, for no ! ! reason whatsoever, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key and grabbed hold of the radio antenna.
11. GM would require all car buyers to also purchase a deluxe set of Rand McNally Road maps (now a GM subsidiary), even though they neither need nor want them. Attempting to delete this option would immediately cause the car's performance to diminish by 50% or more. Moreover, GM would become a target for investigation by the Justice Dept.
12. Every time GM introduced a new car, car buyers would have to learn to drive all over again because none of the controls would operate in the same manner as the old car.
13. You'd have to press the "Start" button to turn the engine off
I personally don't use any Microsoft stuff, thankfully. Not that I have the option...since I run Linux on all my machines. :-)
OK...it's true that Macs are more expensive, but this part hasn't been true for some time. All modern Macs are PCI-based (as all most modern Suns; even the E10K has PCI slots in addition to SBus).
Apple must be lagging in sales, these "flaws" are getting more and more silly, lol.
As for hackers. Hackers don't care about the OS. They care about taking over computers so they can use them for nefarious purposes. By your logic, hackers would not go after Solaris (Sun) or Tru64 (DEC Alpha) or OS/400 (IBM) but they do. If Macs were cars, they would have a larger market share than Chrysler. Most computer companies would drool themselves dry if they sold as many computers a year as Apple not to mention that Apple is the only CPU manufacturer that is making a profit in these tough economic times. The reason that hackers go after Microsoft products is due to their poor design. Why beat your head against the wall hacking a UNIX/BSD based Operating System like Mac OS X which is rock solid when Microsoft makes it so easy to gain access to root of the OS over a network connection.
But the best thing about Mac OS X is you don't have to buy anti-virus software, firewalls, access control software and disk repair utils. As a bonus, you are never posting Virus/Worm alerts on Free Republic.
If you have never used a Mac or don't understand the Mac Operating Systems, I would hold your tongue. Mac users love to laugh at the misconceptions that Windows (L)users have about our equipment.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.