[thelist] RE: Most standards compliant browser?

[.jeff]

andrew,

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Andrew Forsberg
>
> Took a while to find it, but here's the MS bulletin:
> http://www.microsoft.com/technet/security/bulletin/MS01-055.asp
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

yes, i'm quite familiar with this particular hole.  however, it's not quite
as exploitable as it first seems.  it doesn't make all your cookies world
readable by default.  all it does is gives a malicious user the ability to
look for and extract cookies they think may exist.  so, for it to be truly
useful, one would have to know there's an amazon.com cookie with useful info
in it and craft a url to grab its contents.  however, microsoft did a damn
good job of having a patch for this cookie available from their site within
5 business days of the breaking news.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> I should really have said 'world readable and world
> writable'. A really basic standard of privacy was
> lacking in 5.5 and 6.0 for quite some time.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

yes, lacking for quite some time, but only recently discovered and almost
immediately there's a patch available for it.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> There's also the super cookie problem:
> http://www.computerbytesman.com/privacy/supercookie.htm
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

yeah, that's a valid issue, though it probably wasn't seen as a means of
tracking when originally implemented in windows media player.  leave it up
to a crafty individual to consider other uses for this sort of information.

i'm sure that if nn6 had the market share, people would be concentrating
their efforts on discovering and exposing all sorts of security threats with
that browser.

.jeff

http://evolt.org/
jeff at members.evolt.org
http://members.evolt.org/jeff/