Old 17th January 2002, 11:18   #1
griffinn
Court Jester
(Forum King)
 
griffinn's Avatar
 
Join Date: May 2000
Location: Your local toystore
Posts: 3,501
Send a message via ICQ to griffinn
Internet Explorer security holes

This thread is a continuation of two previous ones in General Discussions:
http://forums.winamp.com/showthread.php?threadid=61877
http://forums.winamp.com/showthread.php?threadid=70708

In this thread I'll be posting news on Microsoft Internet Explorer's security holes. Since alleged security flaws come up almost every week, I'll try my best not to raise unnecessary alarms, by reporting only the really grave ones, and only those that affect the latest version. (As of now that means IE6.)

The latest, disclosed on 14 January, is described in this securityfocus.com article. It allows for arbitrary apps (or even CLSID objects, like the Control Panel) to be launched at the local machine when an HTML embedded object within a web page is clicked, without asking the user for confirmation first.

No solution has as yet been offered, and Microsoft has not yet acknowledged this exploit in its security bulletins page. I will post again when updates are available.

The smiley slot machine! | Quotable Blog
griffinn is offline   Reply With Quote
Old 21st January 2002, 14:23   #2
griffinn
Court Jester
(Forum King)
 
griffinn's Avatar
 
Join Date: May 2000
Location: Your local toystore
Posts: 3,501
Send a message via ICQ to griffinn
Upgrade from Win9x to WinXP -> IE6 patches removed

Reported in SecurityFocus:

When you have IE6 in a Win9x/ME system, and have over time applied various security patches through Microsoft's Windows Update, and then upgrade your OS to Windows XP Professional, the patches for IE6 cannot be carried through. What's worse, when you visit Windows Update, those patches do not show up as available for re-installation.

If this applies to you, take a look at the solution offered in SecurityFocus. It contains pointers to Microsoft download pages where you can manually download IE6 patches and re-apply them.
griffinn is offline   Reply With Quote
Old 15th February 2002, 05:04   #3
griffinn
Court Jester
(Forum King)
 
griffinn's Avatar
 
Join Date: May 2000
Location: Your local toystore
Posts: 3,501
Send a message via ICQ to griffinn
This is probably old news already, but I've been away on a short vacation. So here goes...

Microsoft has released a cumulative patch for Internet Explorer on 11 February. In addition to all old bugs in IE 5.01, 5.5 and 6.0, it also covers various bugs that have been reported in securityfocus.com and elsewhere from January to early February.

These bugs include buffer overruns (which allow a cracker to e.g. craft a URL in certain ways so your browser will execute arbitrary code of the cracker's choosing), and loopholes in the file saving/executing mechanism (when exploited, they cause the browser to execute a file right away instead of asking you to save it). So it's important that you update your Internet Explorer with this patch as soon as possible.

The smiley slot machine! | Quotable Blog
griffinn is offline   Reply With Quote
Old 28th March 2002, 23:16   #4
griffinn
Court Jester
(Forum King)
 
griffinn's Avatar
 
Join Date: May 2000
Location: Your local toystore
Posts: 3,501
Send a message via ICQ to griffinn
Another cumulative patch for IE 5.01, 5.5 and 6.0 has just been released to cover "2 vulnerabilities, the most serious of which would allow script to run in the Local Computer Zone."

Read the MS security bulletin, and install the patch now.

The smiley slot machine! | Quotable Blog
griffinn is offline   Reply With Quote
Old 29th March 2002, 01:57   #5
Flynnz
Major Dude
 
Join Date: Sep 2000
Location: mostly not here anymore
Posts: 855
Send a message via ICQ to Flynnz Send a message via AIM to Flynnz Send a message via Yahoo to Flynnz
Nice job dude.. thanks for the heads-up on the latest one.
Flynnz is offline   Reply With Quote
Old 29th March 2002, 14:12   #6
randman
Guest
 
Posts: n/a
Thanks for keeping us apprised griffin. These critical updates don't usually make it to the Windows Update page for days (or weeks).
  Reply With Quote
Old 1st April 2002, 03:05   #7
papadoc
Comfortably Numb
(Forum King)
 
papadoc's Avatar
 
Join Date: Jun 2001
Posts: 4,612
Thanks Griffinn.
This is another good and helpful thread.
I appreciate it.
Patch installed.
btw...I usually get notices like this from the LangaList Newsletter,
along with allot of other educated help and news concerning computers.
I highly recommend it.
It's a free, no spam, no spyware deal.
papadoc is offline   Reply With Quote
Old 1st April 2002, 04:20   #8
n_ick2000
Forum King
 
n_ick2000's Avatar
 
Join Date: May 2001
Location: -
Posts: 2,501
Send a message via AIM to n_ick2000 Send a message via Yahoo to n_ick2000
Thanks Griffinn. I'm applying the latest patch now.

|
n_ick2000 is offline   Reply With Quote
Old 18th April 2002, 03:31   #9
Flynnz
Major Dude
 
Join Date: Sep 2000
Location: mostly not here anymore
Posts: 855
Send a message via ICQ to Flynnz Send a message via AIM to Flynnz Send a message via Yahoo to Flynnz
Another Big MS Browser Hole Found

"Internet Explorer users who click their browser's back button open the Windows operating system to a malicious hack attack."
http://www.wired.com/news/technology...,51899,00.html

The scariest part for me: I wouldn't describe myself at all as "anti-Microsoft," but sometimes I do wonder about them...
Quote:
The proposed exploit scenario requires the attacker to compel the users to click on the back button while visiting a malicious website. This scenario does not constitute a viable threat to users following standard best practices," the [Microsoft] spokesman added.

Some users were surprised to find out that Microsoft believes that using the back button is not a standard, best security practice.

"Why the hell did they put a back button into the browser toolbar if they didn't want me to use it?" Martin Montez, a stockbroker, wondered. "I'm one of the few people in the world who actually reads the manuals and there's no warning anywhere that using the back button could compromise your system."
LMAO!!! That pretty much sums up what I was thinking as I read what MS has to say about the issue.
Flynnz is offline   Reply With Quote
Old 15th May 2002, 21:51   #10
griffinn
Court Jester
(Forum King)
 
griffinn's Avatar
 
Join Date: May 2000
Location: Your local toystore
Posts: 3,501
Send a message via ICQ to griffinn
Since the last cumulative patch, a number of vulnerabilities, from innocuous to deadly, have been reported in Internet Explorer 5.0, 5.5 and 6.0. Microsoft has just released another cumulative patch (Q321232) to address "six new vulnerabilities, the most serious of which could allow code of attacker's choice to run".

The patch is already available via Windows Update. For the gory details, read MS Security Bulletin MS02-023. (At the time of writing this page is not yet online. But it will be soon.)

The smiley slot machine! | Quotable Blog
griffinn is offline   Reply With Quote
Old 16th May 2002, 14:52   #11
Indyrod
Major Dude
 
Indyrod's Avatar
 
Join Date: Jun 2000
Location: Indianapolis, Indiana USA
Posts: 687
HINT ALERT!!!! Just use Netscape..... Don't be a Gate's drone, down with IE... (waving "GO NETSCAPE" flags to the masses)
Indyrod is offline   Reply With Quote
Old 16th May 2002, 15:39   #12
BDA7DD
Senior Member
 
BDA7DD's Avatar
 
Join Date: Jan 2002
Location: Ontario, Canada, eh?
Posts: 185
Send a message via ICQ to BDA7DD Send a message via AIM to BDA7DD Send a message via Yahoo to BDA7DD
You see? This is why you should be using a real browser. Give me Opera or give me death! Multiple browser windows hogging up the taskbar doesn't make sense. Opera keeps them all in one place like they should be. Opera is 100% compliant with all the latest W3C standards, and any proprietary browser-specific stuff (like MARQUEE and BLINK tags) is cut out and unsupported like it should be. Oh, and whoever invented mouse gestures is a genius!

Quote:
Originally posted by Indyrod
HINT ALERT!!!! Just use Netscape..... Don't be a Gate's drone, down with IE... (waving "GO NETSCAPE" flags to the masses)
Netscape sucks dick. 6.x is bloated with AOL crap, and 4.x can't do shit these days. If you're really hardcore-obsessed with Netscape, then the next-best alternative for you would be Mozilla. It's like a heavily stripped down Netscape 6.x with all of the functionality but none of the bloat. As a matter of fact, Netscape 6.x is built on Mozilla... I'd go as far as to say that Netscape 6.x is just Mozilla with a bunch of unnecessary bloat slapped on top of it. With Mozilla, you get everything that Netscape 6.x is useful for (such as the tabbed surfing,) without the useless crap that nobody would ever want in the first place (such as AIM and "Netscape Activation".)
BDA7DD is offline   Reply With Quote
Old 16th May 2002, 23:31   #13
griffinn
Court Jester
(Forum King)
 
griffinn's Avatar
 
Join Date: May 2000
Location: Your local toystore
Posts: 3,501
Send a message via ICQ to griffinn
Sadly, many large websites out there are b0rken / do not offer full functionality when viewed by Netscape.

Example #1: Webmonkey's DHTML navigation menu does not expand/collapse in Netscape; it only brings you to another page. The geeks at Webmonkey know what they are doing. If they decide not to tweak their scripts to support Netscape, I tend to believe it's simply because Netscape's DHTML sucks.

Example #2: PriceWaterhouseCooper's corporate site. I haven't tried to find out what causes the page to come up funny in Netscape, but I think it's Netscape's b0rken CSS support.

Example #3: KPMG's corporate site. Again, probably caused by bad CSS support in Netscape.

The smiley slot machine! | Quotable Blog
griffinn is offline   Reply With Quote
Old 17th May 2002, 00:23   #14
randman
Guest
 
Posts: n/a
From the "gory details":

"An information disclosure vulnerability related to the handling of script within cookies that could allow one site to read the cookies of another. An attacker could build a special cookie containing script and then construct a web page that would deliver that cookie to the user's system and invoke it. He could then send that web page as mail or post it on a server. When the page executed and invoked the script in the cookie, it could potentially read or alter the cookies of another site. Successfully exploiting this, however, would require that the attacker know the exact name of the cookie as stored on the file system to be read successfully."

I wonder if this is why my Norton AV just recently stopped a JS.Seeker virus hidden in a cookie? If so, I wonder if the MS patch will prevent it from happening in the future?

Either way, a good reason to be running an up to date virus program.
  Reply With Quote
Old 18th May 2002, 07:52   #15
BDA7DD
Senior Member
 
BDA7DD's Avatar
 
Join Date: Jan 2002
Location: Ontario, Canada, eh?
Posts: 185
Send a message via ICQ to BDA7DD Send a message via AIM to BDA7DD Send a message via Yahoo to BDA7DD
Quote:
Originally posted by griffinn
Sadly, many large websites out there are b0rken / do not offer full functionality when viewed by Netscape.
Which is why you use Opera. If any web pages don't show up properly in Opera, it's because they've probably got a stupid, lazy, uninformed webmaster who uses proprietary, browser-specific HTML code. Studies show that Opera 6 is actually MORE standards-compliant and compatible that Internet Explorer 6.

Oh, and if a website refuses to show up properly in anything but Internet Explorer, view the source code and inspect the "Generator" META tag. Chances are that site's been made in Microsoft FrontPage. If that's the case, there's your answer as to why the page won't show up in anything else. Every web page made in Microsoft FrontPage is specifically coded to intentionally screw up on any browser other than Internet Explorer. That said, those pages contain a much larger source to pack in all that proprietary code, which makes them load a lot slower if the page contains a lot of content, and is being viewed with a slow Internet connection.

With the above said, I think this is the perfect opportunity for me to pimp out Macromedia Dreamweaver and Macromedia Dreamweaver UltraDev, the best WYSIWYG webpage editors on the face of the earth. Both create clean, perfect HTML which will work on any browser, without any browser-specific proprietary garbage. If you do use it to include proprietary stuff, not only must it be done manually (so you're the only one to blame for it,) but in most cases it'll warn you that you're about to add proprietary code to your page (if you click "Yes" when it asks you "Are you sure," then you're just an idiot.)
BDA7DD is offline   Reply With Quote
Old 18th May 2002, 20:57   #16
baafie
feminazi
(Major Dude)
 
baafie's Avatar
 
Join Date: Apr 2001
Posts: 1,767
Quote:
Originally posted by BDA7DD
Which is why you use Opera. If any web pages don't show up properly in Opera, it's because they've probably got a stupid, lazy, uninformed webmaster who uses proprietary, browser-specific HTML code. Studies show that Opera 6 is actually MORE standards-compliant and compatible that Internet Explorer 6.
Note that if a page doesn't show up properly, the page uses DHTML, CSS or scripting properties and/or functions that non-IE browsers don't support. There are no Internet Explorer specific HTML tags that I know of.
baafie is offline   Reply With Quote
Old 18th May 2002, 22:23   #17
c2R
Stereotype?
(Forum King)
 
c2R's Avatar
 
Join Date: Jan 2001
Location: Ware, England
Posts: 3,511
Quote:
Originally posted by baafie

Note that if a page doesn't show up properly, the page uses DHTML, CSS or scripting properties and/or functions that non-IE browsers don't support. There are no Internet Explorer specific HTML tags that I know of.
The marquee tag is one of them...

Also Microsoft have introduced many non-standard HTML tags over the years that have been adopted by other browsers to maintain compatibility with web pages.
c2R is offline   Reply With Quote
Old 19th May 2002, 03:01   #18
BDA7DD
Senior Member
 
BDA7DD's Avatar
 
Join Date: Jan 2002
Location: Ontario, Canada, eh?
Posts: 185
Send a message via ICQ to BDA7DD Send a message via AIM to BDA7DD Send a message via Yahoo to BDA7DD
Quote:
Originally posted by baafie
Note that if a page doesn't show up properly, the page uses DHTML, CSS or scripting properties and/or functions that non-IE browsers don't support. There are no Internet Explorer specific HTML tags that I know of.
Opera has more CSS and DHTML support and compliancy than Internet Explorer. There are specific CSS and DHTML tags which are proprietary to Internet Explorer, however, so that may be the reason if you encounter a CSS or DHTML compatibility error in Opera. But it terms of complaince with open-industry, W3C-approved web standards, Opera runs laps around Internet Explorer hands down.

Quote:
Originally posted by c2R
The marquee tag is one of them...
So are CSS font filters, such as glow, dropshadow and xray. Again, my point about how Microsoft has made proprietary tags in CSS. If they can make proprietary tags for HTML, it's just as easy for them to do so with CSS and DHTML.

Quote:
Originally posted by c2R
Also Microsoft have introduced many non-standard HTML tags over the years that have been adopted by other browsers to maintain compatibility with web pages.
Exactly. Also, the authors/companies which make those browsers that support IE-specific functions have to pay Microsoft for the licence to use those specific functions if those features are protected by some sort of patent, and quite frankly I think that's just plain greedy. If my web browser doesn't support an IE-specific feature, I don't blame the creators of the browser, I blame Micrsoft. Browser authors shouldn't have to pay for the right to include support for a proprietary feature anyway. Besides, a lot of those IE-specific, proprietary features are either just plain annoying and useless (marquees and glowing text,) or horrible security vulnerabilities (ActiveX, VBScript and WSH embedding.) I'm glad that Opera doesn't support proprietary non-standards. I think it's better that way, personally.

Besides, Opera doesn't just have Internet Explorer beat in terms of open standards compliancy, but it's also got Internet Explorer beat in terms of innovative and useful features as well.

First of all, I've become hooked on mouse gestures. For those of you who have been using mice with scroll wheels for a long time, you probably know the feeling when you're using a mouse without a wheel (such as at a friend's house,) and you keep instinctively reaching between the left and right mouse buttons for a wheel, only to not find one there, don't you? Well, it's the exact same feeling you get once you're hooked on mouse gestures.

Secondly, the F12 menu. All you gotta do is hit F12 and menu will pop up which'll let you enable, disable and change certain key features. Either click the menu item or hit its keyboard shortcut (which I recommend) after hitting F12 and the settings will automatically apply. Then just reload the page if necessary. (EDIT) I was going to attach a screenshot of it to this message, but unfortunately I'm a dumb idiot and forgot to attach the damn thing before submitting this post. It's attached to the message below this one... *krrgh*

Last but not least, the "G" key. Just tap "G" on your keyboard to enable and disable graphics. This is a god send if you're stuck on a dialup connection like I used to be. If you want to see the graphics on the page you're viewing, just hit Shift+G to load them up without having to refresh the entire page.

All in all, Opera reigns superior over every other web browser out there. It's available for Windows, Macintosh, Linux/Solaris, BeOS, OS/2, QNX and Symbian, so go get it now. http://www.opera.com/
BDA7DD is offline   Reply With Quote
Old 19th May 2002, 03:22   #19
BDA7DD
Senior Member
 
BDA7DD's Avatar
 
Join Date: Jan 2002
Location: Ontario, Canada, eh?
Posts: 185
Send a message via ICQ to BDA7DD Send a message via AIM to BDA7DD Send a message via Yahoo to BDA7DD
Crap, I forgot to attach that file... oh well, here it is:
Attached Images
File Type: gif opera_f12_menu.gif (3.0 KB, 271 views)
BDA7DD is offline   Reply With Quote
Old 19th May 2002, 21:23   #20
wave106
Senior Member
 
Join Date: Mar 2002
Location: a box
Posts: 101
i know, you should get the patch! those bastard from ms suck. like really! they have enough more to put out a more securer explorer than the ones those monkies are putting out right now
wave106 is offline   Reply With Quote
Old 19th May 2002, 22:10   #21
Aeroe
Major Dude
 
Aeroe's Avatar
 
Join Date: Dec 2000
Location: Assembly Hall
Posts: 1,446
Send a message via AIM to Aeroe
opera's so cute, especially when my 50 or so bookmarks disappear without reason.

sheesh... why do i keep windows on this hd, every time i boot i need another 12 patches...
Aeroe is offline   Reply With Quote
Old 20th May 2002, 04:58   #22
Avalon
Major Dude
 
Avalon's Avatar
 
Join Date: Jan 2002
Location: New York City
Posts: 1,123
Send a message via AIM to Avalon
reason why I like Netscape... but dam it's loading tme.

If it wasn't for the fact that IE loads a lot faster then Netscape 6.2.3 then I would use netscape (as I used to, but really stared to be downed out by the loading tmes). I am a pure Netscape fan, it deals with web pages a lot better then IE does, Java WORKS! and, and, there aren't as many holds in it (yes, there is a few, but you know compared to the 700 tillion that IE has....). Also Netscape looks better!

But damn IE/OS intergration!!!
Avalon is offline   Reply With Quote
Old 20th May 2002, 05:11   #23
Avalon
Major Dude
 
Avalon's Avatar
 
Join Date: Jan 2002
Location: New York City
Posts: 1,123
Send a message via AIM to Avalon
Yeah, I used to have mozilla on my computer as well, and used quick launch when I had both netscape. I'm just waiting for the official public release so that I don't have to check it every five days. Also mozilla loads of a lot faster than netscape even without quick launch.
Avalon is offline   Reply With Quote
Old 20th May 2002, 06:43   #24
BDA7DD
Senior Member
 
BDA7DD's Avatar
 
Join Date: Jan 2002
Location: Ontario, Canada, eh?
Posts: 185
Send a message via ICQ to BDA7DD Send a message via AIM to BDA7DD Send a message via Yahoo to BDA7DD
Quote:
Originally posted by Sawg 2.0
Ditch Netscape 6 and get Mozilla. You do not have to put up with all the commercial crap AOL adds to Netscape. And it is updated faster.
Yes, definitely get Mozilla if you love Netscape too much to switch over to Opera. Both Mozilla and Opera are great browsers, but I'm personally an Opera fan (like I need to tell you guys that.)

Quote:
Originally posted by Sawg 2.0
Edit > Preferences > Advanced > CHECK "Enable Quick Launch"
Quick Launch is just a useless resource hog. I suggest keeping it disabled unless you can't handle waiting 2.5 seconds for it to start up.

Quote:
Originally posted by Aeroe
opera's so cute, especially when my 50 or so bookmarks disappear without reason.
Are you speaking from personal experience, or are you just reciting some rumour you heard from a friend of a friend? I've never had something like that happen to me in all the years I've been using Opera, so my best guess is that you either screwed something up yourself, or that you're just plain lying.
BDA7DD is offline   Reply With Quote
Old 20th May 2002, 11:19   #25
baafie
feminazi
(Major Dude)
 
baafie's Avatar
 
Join Date: Apr 2001
Posts: 1,767
Actually, every time I start up my computer, Opera's settings are reset.
/me awaits the next Opera version..
baafie is offline   Reply With Quote
Old 20th May 2002, 11:36   #26
Aeroe
Major Dude
 
Aeroe's Avatar
 
Join Date: Dec 2000
Location: Assembly Hall
Posts: 1,446
Send a message via AIM to Aeroe
nope no joke, i closed opera and a little later re-opened it to see all my bookmarks were gone... no crash or anything.
i bookmarked a page where i was to buy something.
http://mp3playerstore.com/buy_it_now__/soul-2.htm
heh the cd/mp3 player is sexy.

but the interesting thing it was still in my history, along with the bookmarked pages. it's v6.02.1101.
Aeroe is offline   Reply With Quote
Old 20th May 2002, 12:56   #27
BDA7DD
Senior Member
 
BDA7DD's Avatar
 
Join Date: Jan 2002
Location: Ontario, Canada, eh?
Posts: 185
Send a message via ICQ to BDA7DD Send a message via AIM to BDA7DD Send a message via Yahoo to BDA7DD
Quote:
Originally posted by baafie
/me awaits the next Opera version..
Well don't just sit there with your thumb up your ass, submit a bug report, damn it! Geez, you complain about these problems but do nothing to try and solve them? What's with you people anyway? They won't know if the problems are there if nobody speaks up about them! If they don't know about the problems, they can't fix them, because as far as they're concerned at the moment, those problems don't exist!

http://www.opera.com/support/bugs/ <-- Submit your Opera bug reports here.
BDA7DD is offline   Reply With Quote
Old 20th May 2002, 21:49   #28
Aeroe
Major Dude
 
Aeroe's Avatar
 
Join Date: Dec 2000
Location: Assembly Hall
Posts: 1,446
Send a message via AIM to Aeroe
hmmm you need a beer kid.
Aeroe is offline   Reply With Quote
Old 20th May 2002, 23:57   #29
BDA7DD
Senior Member
 
BDA7DD's Avatar
 
Join Date: Jan 2002
Location: Ontario, Canada, eh?
Posts: 185
Send a message via ICQ to BDA7DD Send a message via AIM to BDA7DD Send a message via Yahoo to BDA7DD
As long as it's Canadian beer (none of that cheap American piss,) toss me a bottle, lassie!
BDA7DD is offline   Reply With Quote
Old 21st May 2002, 07:13   #30
Avalon
Major Dude
 
Avalon's Avatar
 
Join Date: Jan 2002
Location: New York City
Posts: 1,123
Send a message via AIM to Avalon
Hey, HEY!!!! No dissing on my American beer... so what it's water, it has it's uses!!!

Yeah as I said, I'll switch to Mozilla soon (even though it is really Netscape but anyway).

Oh btw, for you people in the know, there are a lot of other programs that use the IE base, such as Morpheus, MusicMatch (ack, I mentioned another mp3 player aside from winamp... forgive me gods, fooooorgive meeee), AOL, etc. So it will be in your best interests even if you don't have IE as your base browser to upgrade it.
Avalon is offline   Reply With Quote
Old 21st May 2002, 12:41   #31
baafie
feminazi
(Major Dude)
 
baafie's Avatar
 
Join Date: Apr 2001
Posts: 1,767
Quote:
Originally posted by BDA7DD


Well don't just sit there with your thumb up your ass, submit a bug report, damn it! Geez, you complain about these problems but do nothing to try and solve them? What's with you people anyway? They won't know if the problems are there if nobody speaks up about them! If they don't know about the problems, they can't fix them, because as far as they're concerned at the moment, those problems don't exist!

http://www.opera.com/support/bugs/ <-- Submit your Opera bug reports here.
I was rather busy when I first noticed it. I will look into it when I have more time available.
baafie is offline   Reply With Quote
Old 5th June 2002, 15:08   #32
griffinn
Court Jester
(Forum King)
 
griffinn's Avatar
 
Join Date: May 2000
Location: Your local toystore
Posts: 3,501
Send a message via ICQ to griffinn
A new IE security hole involving the gopher protocol has been discovered by Oy Online Solutions, and reported on Yahoo. This bug would allow a hacker to craft a gopher link to r00t your machine when the link is clicked.

Microsoft hasn't formally acknowledged this bug.

The gopher protocol is an antique predecessor of HTTP, the protocol behind the World Wide Web. You're not very likely to come across it nowadays. Nevertheless let's hope a security patch will be released soon.

The smiley slot machine! | Quotable Blog
griffinn is offline   Reply With Quote
Old 5th June 2002, 15:47   #33
rm'
Banned
 
rm''s Avatar
 
Join Date: Jul 2000
Posts: 11,361
Quote:
Originally posted by BDA7DD
Canadian
Figures

ps. griff, keep up the good work :-) Your frequent heads-up are much appreciated.
rm' is offline   Reply With Quote
Old 6th June 2002, 07:47   #34
griffinn
Court Jester
(Forum King)
 
griffinn's Avatar
 
Join Date: May 2000
Location: Your local toystore
Posts: 3,501
Send a message via ICQ to griffinn
The official BugTraq mail on this exploit has a lot more details for the technically inclined.

The BugTraq mail also offers a temporary solution until the official patch is released:
Quote:
Internet Explorer users can protect themselves from the flaw by disabling the gopher protocol. Barely any gopher servers exist on the Internet today, so this is unlikely to cause problems. If needed, a gopher client or some other web browser can be used to access the gopherspace.

An easy way to disable processing and displaying gopher pages is to define a non-functional gopher proxy in Internet Options. Select Tools -> Internet options -> Connections. Click on "LAN settings". Check "Use a proxy server for your LAN". Click on "Advanced...". Here you can define proxy servers to be used with different protocols. Go to the Gopher text field and enter "localhost", and "1" in the port text field. This will stop Internet Explorer from fetching any gopher documents.

After installing the patch from Microsoft you can remove these gopher proxy settings (or restore them to values they had before).

The smiley slot machine! | Quotable Blog
griffinn is offline   Reply With Quote
Old 6th June 2002, 21:16   #35
Trigear
bear!
 
Trigear's Avatar
 
Join Date: Jun 2002
Posts: 3,426
tiki?
Trigear is offline   Reply With Quote
Old 11th June 2002, 23:02   #36
griffinn
Court Jester
(Forum King)
 
griffinn's Avatar
 
Join Date: May 2000
Location: Your local toystore
Posts: 3,501
Send a message via ICQ to griffinn
Microsoft has formally acknowledged the Gopher exploit in its Security Bulletin MS02-027. Patches are still "under development", though.

The smiley slot machine! | Quotable Blog
griffinn is offline   Reply With Quote
Old 12th August 2002, 11:53   #37
griffinn
Court Jester
(Forum King)
 
griffinn's Avatar
 
Join Date: May 2000
Location: Your local toystore
Posts: 3,501
Send a message via ICQ to griffinn
A new vulnerability regarding SSL (for secure HTTP sessions, usually used when you shop online or sign up to something with personal information) has been reported, but Microsoft has not yet acknowledged the issue.

In short: IE's handling of intermediate SSL certificates is flawed. This allows man-in-the-middle attacks, i.e. a bad guy intercepting your SSL traffic to, say, www.amazon.com, posing as the Amazon server (your IE should warn you about "invalid SSL certificates" at this point but an implementation flaw causes it to just silently go ahead and talk to the spoofed server).

BugTraq mail by original discoverer
The Register's take on the matter

Temporary countermeasure? Don't shop on the net, I guess. Or just give up and be assimilated -- As Scott McNealy, Sun's CEO, once put it, "You have zero privacy anyway... Get over it."

The smiley slot machine! | Quotable Blog
griffinn is offline   Reply With Quote
Old 12th August 2002, 12:08   #38
Neko
Major Dude
 
Neko's Avatar
 
Join Date: Aug 2001
Location: Mice!?
Posts: 1,197
or use fake credit card details
Neko is offline   Reply With Quote
Old 13th August 2002, 20:37   #39
BDA7DD
Senior Member
 
BDA7DD's Avatar
 
Join Date: Jan 2002
Location: Ontario, Canada, eh?
Posts: 185
Send a message via ICQ to BDA7DD Send a message via AIM to BDA7DD Send a message via Yahoo to BDA7DD
... or use a better browser!
BDA7DD is offline   Reply With Quote
Old 16th August 2002, 15:41   #40
griffinn
Court Jester
(Forum King)
 
griffinn's Avatar
 
Join Date: May 2000
Location: Your local toystore
Posts: 3,501
Send a message via ICQ to griffinn
Microsoft has released a TechNet article acknowledging the SSL flaw. They assert that exploiting the flaw is difficult, but will nevertheless develop a patch to eliminate it.

The smiley slot machine! | Quotable Blog
griffinn is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Community Center > Breaking News

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump