Posted on 01/16/2002 9:20:35 AM PST by AFreeBird
Microsoft Investigates Alleged Flaw in Browser
Experts say standard security rule ignored
By JAIKUMAR VIJAYAN
(January 14, 2002)
Microsoft Corp. is investigating an alleged flaw in recent versions of its Internet Explorer (IE) browser software that could allow attackers to spoof legitimate Web sites, steal content from browser cookies and gain access to certain types of files on a victim's system.
The alleged flaw, which affects IE Versions 5.5 to 6, was first reported to the company on Dec. 19 by an independent security researcher who refers to himself as ThePull.
The vulnerability is the result of Microsoft's failure to abide by an industry-standard browser security rule known as the same-origin policy, said David Ahmad, moderator of Bugtraq, a mailing list on which ThePull first posted details of the alleged flaw.
The same-origin policy was established to prevent malicious Web sites from interacting with and stealing sensitive information left in cookies set by other sites on a user's computer. In other words, when one Web site is used to open another Web site in a separate pop-up window, script code from the first site shouldn't be able to affect the information or properties of the other site.
In an e-mail sent to Computerworld Jan. 8, a spokesman for Microsoft's Security Response Center said the company is investigating the issue "just as we do with every report we receive of security vulnerabilities affecting Microsoft products."
"At this point in the investigation, we feel that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers' information," the spokesman wrote.
Even so, said Ahmad, Microsoft's failure to abide by the industry standard in recent IE versions has resulted in severe security vulnerabilities.
"If you use the document.write method in the correct manner as stated by Microsoft's own documentation, you are able to spoof sites, read cookies from other sites and read local files on a user's system," ThePull wrote in an e-mail to Computerworld. "This means that someone could send you an e-mail from security@microsoft.com to download an important update with a link?upon clicking that link, you could be brought to a Web page with a Trojan [horse] on it."
Because of the flaw, attackers could potentially construct Web sites that steal cookies, perform actions on different sites through script code and transmit the content of text files to attacker-controlled Web servers, warned an advisory by San Mateo, Calif.-based SecurityFocus.com.
Perhaps the most serious consequence is that trusted Web sites can be replaced with "attacker-created HTML," the advisory said. The best way for users to handle the problem is to turn off JavaScript, said ThePull.
Meanwhile, security firms last week reported the first virus directed at Microsoft's .Net platform. Called W32.Donut, the virus isn't likely to be a major threat because of the small installed base of .Net users, according to an advisory by Sunnyvale, Calif.-based McAfee.com Corp.
So what part of this didn't you understand? If the exploit is three years old and is known, and a fix has been supplied, yet someone is leaving it open for their own purposes; what exactly is your problem?
According to Suns web site:
________________________________________________________________________________
Bulletin Number: #00192
Date: December 29, 1999
Cross-Ref: CERT CA-99-11
Title: CDE and OpenWindows
Revision History:
March 28, 2000: Updated patch information
March 3, 2000: Updated patch information
January 25, 2000: Updated patch information
December 29, 1999: Initial release
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.