Date: Mon, 6 Nov 2000 17:54:55 -0500
Reply-To: Jonc <jonc@VALLEY.NET>
Sender: Vanagon Mailing List <vanagon@gerry.vanagon.com>
From: Jonc <jonc@VALLEY.NET>
Subject: no vanagon content but you may be interested anyway
Content-Type: text/plain; charset="iso-8859-1"
MORE FLAWS IN INTERNET EXPLORER AND OUTLOOK: NOW YOU
CAN RECEIVE E-MAILS THAT READ YOU
Posted at November 3, 2000 01:01 PM Pacific
A FLAW THAT'S BEEN newly discovered in Microsoft's
Internet Explorer 4 and 5 allows almost any Web site
you visit to read all the files on your hard disk.
And, because recent versions of Outlook and Outlook
Express use IE's code base to display complex e-mail
messages, even an e-mail you receive can read all
about you. No attachment is required.
This new problem was found by Georgi Guninski, who's
made something of a sport of exposing Microsoft weaknesses.
Guninski has even created a Web page that demonstrates
the problem. It merrily lists all the file names in
the root of your C: drive.
But don't go to this Web site until you use Microsoft's
patch (see below) or take the following steps to
prevent other Web sites from viewing your files.
My thanks go to Steve Fallin of WatchGuard Technologies
(http://www.watchguard.com) for his work-around:
Step 1. In Internet Explorer, pull down the Tools menu,
and then click Internet Options.
Step 2. Click the Security tab.
Step 3. Select the Internet icon, and then click Custom
Level.
Step 4. Scroll down to Microsoft VM/Java Permissions,
and then click Custom.
Step 5. Click the Java Permissions Settings button.
Step 6. Click the Edit Permissions tab.
Step 7. Change the radio button under Run Unsigned
Content to Disable. Change Signed Content to Prompt.
Step 8. Click the Reset button.
Step 9. Click OK or
Yes all the way out to save your changes.
These steps will disable Java applets and plug-ins from
"unsigned" (anonymous) Web sources. If the creator has
"signed" the applet, you will see a prompt asking you
to accept (if you really trust the source) or reject.
If you've made the changes outlined above, you're ready
to visit Guninski's site and see how easily a mere Web
page or e-mail can read your entire hard drive. Go to
http://www.guninski.com/javacodebase1-desc.html. This
text page links to the actual demonstration.
In my tests, I found that once a machine has run
Guninski's demo, the exploit still works later, even
after you apply the work-around.
However, if the change is made before a machine visits
Guninski's site, his demo cannot automatically have
its way.
Instead, you are presented with the prompt I mentioned
earlier: "Do you want to allow software such as
ActiveX controls and plug-ins to run?" If in doubt,
you should answer No to this question.
In Guninski's case, it's safe to click Yes to see for
yourself how a Web site or e-mail can read your entire
hard drive.
WatchGuard's Fallin says his company's firewall
products can stop Java applets if you configure the
hardware that way. "But we can't require one policy
that works in all situations," he says. Instead, he
says companies must judge for themselves "the
trade-off between usability and security."
For information and Microsoft's patch,
go to http://www.microsoft.com/technet/security/bulletin/fq00-081.asp.