You are subscribed to the Mac EvangeList - <http://www.MacEvangeList.com>
-----------------------Sponsorship Message--------------------------
On 4.17.02 MacOS X will never be the same.
4D Version 6.8 for MacOS X.
More info -> http://www.4D.com/macevangelist/
----------------------------------------------------------------------
Beyond being yet another back door in Windows, this articles reveals some of
the mindset and importance of security at a company that has been telling us
recently how seriously it is to them - Shane
Another Big MS Browser Hole Found
By Michelle Delio
11:41 a.m. April 17, 2002 PDT
Internet Explorer users who click their browser's back button open the
Windows operating system to a malicious hack attack.
When users hit the back button on Explorer's toolbar, the browser's security
settings for the "Internet" zone can be bypassed, and the browser will
automatically execute malicious code embedded into a site's URL.
The problem is caused by what can politely be described as a design flaw in
Explorer. When a Web page fails to load, Explorer displays a standard error
message. This message is set to operate in the "Local Computer Zone"
security setting, which by default allows scripting to run automatically.
Any code inserted in the original URL is handled as if it comes from the
same security zone as the last URL viewed. So a URL containing malicious
JavaScript that might be blocked by default if a user visits the site
directly, will be automatically triggered when the user presses the back
button.
Many users hit the back button when a Web page fails to load in a timely
manner.
The exploit was discovered by Andreas Sandblad, a Swedish engineering
student. Sandblad said he notified Microsoft of the problem last November.
He provided additional information to Microsoft on March 25.
"Originally, I was only able to produce the same result when the user
pressed the refresh button," Sandblad said in an e-mail. "I contacted
Microsoft about it in November and they confirmed the problem. On Feb. 28, I
received mail from them saying that they didn't think the problem was
serious enough to fix."
More here: http://www.wired.com/news/technology/0,1282,51899,00.html
--
*9/11/2001* We will never forget - http://www.windowscene.com
--------------------------------------------------------------------------
For subscribing, unsubscribing or changing to a digest or individual
version, visit <http://www.MacEvangeList.com/groups/>
--------------------------------------------------------------------------
Send all submissions to: <[EMAIL PROTECTED]>
