[thelist] FYI - IE cross domain cookie bug..

Ron Thigpen rthigpen at nc.rr.com
Fri Nov 9 16:02:19 CST 2001 

There are a few good workarounds that will protect your cookie data from 
malicious copying.

Disabling all cookies, and active scripting should prevent this attack. 
   Remember to disable scripting in e-mail. (If using Outlook, set the 
e-mail content zone to "Restricted Sites".  This option should be 
available under the security settings.)

If you don't like losing the functionality of cookies and scripting, and 
are comfortable making changes to your system registry, the following 
also provides protection, while leaving these enabled.

This vulnerability depends on scripting that can occur on pages loaded 
under the "about:" protocol.  Assigning this protocol to the Restricted 
Sites security zone prevents pages using this protocol from running 
scripts. This will provide protection.  You have to edit the registry to 
make this assignment.

All the usual disclaimers about registry editing apply: it can break 
your system, make backups before editing, and don't do this if you don't 
know what you are doing.  I'm not responsible if you break your system.

Create a DWORD value in the registry named "about" under: 
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet 
Settings\ZoneMap\ProtocolDefaults]and set it's value to 4.

You can test for vulnerability at the following page:
<http://www.solutions.fi/index.cgi/extra_iebug?lang=eng>
Load this into a suspected vulnerable browser and enter the URL of a 
site you know you have cookies set for (and don't mind exposing to this 
webserver).

FWIW, Microsoft is blaming the discoverer of this vulnerability for 
irresponsibly releasing its details, even though this has been in the 
open for at least three weeks now 
(http://www.securityfocus.com/archive/1/221612) and the fix is 
apparently as simple as adding a single registry value.

<quote source="MS">
Why isn't there a patch available for this issue?

The person who discovered this vulnerability has chosen to handle it 
irresponsibly , and has deliberately made this issue public only a few 
days after reporting it to Microsoft. It is simply not possible to 
build, test and release a patch within this timeframe and still meet 
reasonable quality standards.
</quote source="MS">

be careful out there,

--rt


Daniel J. Cody wrote:

> http://news.cnet.com/news/0-1005-200-7828689.html
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-055.asp 
> 
> Apparently, the security hole allows malicous sites or HTML formatted 
> emails to read cookies from domains oursite their own. e.g. a malicous 
> page on ebay.com could read a cookie set by amazon.com
> 
> No patch yet. Fix is to disable active scripting and wait.

More information about the thelist mailing list