[thelist] FYI - IE cross domain cookie bug..
Ron Thigpen
rthigpen at nc.rr.com
Fri Nov 9 16:02:19 CST 2001
There are a few good workarounds that will protect your cookie data from
malicious copying.
Disabling all cookies, and active scripting should prevent this attack.
Remember to disable scripting in e-mail. (If using Outlook, set the
e-mail content zone to "Restricted Sites". This option should be
available under the security settings.)
If you don't like losing the functionality of cookies and scripting, and
are comfortable making changes to your system registry, the following
also provides protection, while leaving these enabled.
This vulnerability depends on scripting that can occur on pages loaded
under the "about:" protocol. Assigning this protocol to the Restricted
Sites security zone prevents pages using this protocol from running
scripts. This will provide protection. You have to edit the registry to
make this assignment.
All the usual disclaimers about registry editing apply: it can break
your system, make backups before editing, and don't do this if you don't
know what you are doing. I'm not responsible if you break your system.
Create a DWORD value in the registry named "about" under:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\ProtocolDefaults]and set it's value to 4.
You can test for vulnerability at the following page:
<http://www.solutions.fi/index.cgi/extra_iebug?lang=eng>
Load this into a suspected vulnerable browser and enter the URL of a
site you know you have cookies set for (and don't mind exposing to this
webserver).
FWIW, Microsoft is blaming the discoverer of this vulnerability for
irresponsibly releasing its details, even though this has been in the
open for at least three weeks now
(http://www.securityfocus.com/archive/1/221612) and the fix is
apparently as simple as adding a single registry value.
<quote source="MS">
Why isn't there a patch available for this issue?
The person who discovered this vulnerability has chosen to handle it
irresponsibly , and has deliberately made this issue public only a few
days after reporting it to Microsoft. It is simply not possible to
build, test and release a patch within this timeframe and still meet
reasonable quality standards.
</quote source="MS">
be careful out there,
--rt
Daniel J. Cody wrote:
> http://news.cnet.com/news/0-1005-200-7828689.html
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-055.asp
>
> Apparently, the security hole allows malicous sites or HTML formatted
> emails to read cookies from domains oursite their own. e.g. a malicous
> page on ebay.com could read a cookie set by amazon.com
>
> No patch yet. Fix is to disable active scripting and wait.
More information about the thelist
mailing list