Dear Readers,

Please excuse the extra email but I thought this was serious enough
to warrant it. I have enclosed the full story of the latest security
hole in IE below as well as the Microsoft FAQ below that. I find it
heavy with irony that if you do as MS says and disable the active
script feature of IE, it disables the functionality on the MS TechNet
site. Oh well, forewarned is forearmed.

Mark Oehlert, Editor.


Security hole in IE reveals data in cookies
A newly reported vulnerability in Microsoft Corp.'s Internet Explorer
allows hackers to steal or corrupt cookie information on a user's
desktop through a malformed URL at a Web site or in an HTML e-mail.
http://computerworld.com/nlt/1%2C3590%2CNAV47_STO65588_NLTPM%2C00.html


Security hole in IE reveals data in cookies

By Jennifer DiSabatino
(Nov. 09, 2001) A newly reported vulnerability in Microsoft Corp.'s
Internet Explorer allows hackers to steal or corrupt cookie
information on a user's desktop through a malformed URL at a Web site
or in an HTML e-mail.

The vulnerability means a user's personal information, such as a
credit card number or home address, could be stolen by a malicious
site, if other sites have stored that data on the user's hard drive.
The flaw involved Microsoft's IE browser 5.5 and 6.0


Microsoft rates the hole as a high security risk, but hasn't yet come
out with a patch. For now, the software manufacturer urges users to
do a work-around by disabling active scripts. A full explanation and
instructions for the work-around are on Microsoft's TechNet site.


Microsoft spokesman Christopher Budd said the company faces a
challenge in making consumers aware of the problem. "We are working
with the press. We view the press as instrumental as getting out to
the consumer base. As far as getting the word out, we are going high
and low... because clearly we have an interest in getting the word
out."


He said Microsoft is taking measures such as creating easy downloads
at consumer-oriented security sites to get patches.


"They don't have to worry or dig into the technical [side]. We put a
lot of effort into our bulletins. We've taken great pains to describe
this in as plain English as possible. There's not going to be a
single easy answer to this."


The vulnerability raises more questions over Microsoft's ability to
securely manage personal data through its .Net and Passport services.


"I don't have faith in Passport anyway. It's like Swiss cheese. It's
just another hole in the Swiss cheese called Passport," said Michele
Rubenstein, a security expert in Washington and president of the EMA,
a user forum within The Open Group, a IT user advocacy group.


To be fair, however, Rubenstein said Web sites that don't store data
securely or that store sensitive information on cookies, also must
share the blame. "A well-designed Web page should not store vital or
critical information in a cookie stored on a hard disk," she said.


The magnitude of the hole also presents a daunting task for Microsoft
in alerting consumers who may not pay attention to security bulletins
and don't know how to apply work-arounds.


"People like my mom, who are on the Internet, aren't aware of these
things," Rubenstein said. "How is she going to learn about that," she
asked, unless someone is checking on security issues for her.


In the statement posted yesterday, Microsoft said, "A malicious Web
site with a malformed URL could read the contents of a user's cookie
which might contain personal information. In addition, it is possible
to alter the contents of the cookie. This URL could be hosted on a
Web page or contained in an HTML e-mail ... The vulnerability results
because of an unsafe handling of cookies across [Internet Explorer]
zones."


That is, instead of restricting a Web site to access only those
cookies it stored on the user's hard drive, IE allows Web sites to
grab cookies from other sites.


Microsoft was notified of the vulnerability Nov. 1 by a Finnish
security firm, Online Solution Ltd, another Microsoft spokesman said.
At first, the firm agreed to work with Microsoft, he said, but then
decided it would be a good marketing opportunity to publicize the
vulnerability.


Microsoft said on its advisory that the person who discovered this
vulnerability has chosen to handle it irresponsibly and has
deliberately made this issue public only a few days after reporting
it to Microsoft.


Microsoft released this statement sent to the company from Online
Solution's CEO: "[F]inding and reporting of this kind of
vulnerability is a great marketing opportunity for us...we are
willing to postpone the publication if we can find any way to work
together so that our company would otherwise benefit from this.
Otherwise we don't see any reason to not report this bug and use it
for our marking purposes."


In a response posted on its Web site yesterday, Online Solutions said
it believed a week was sufficient time for Microsoft to come up with
a patch, and that IE users were entitled to know of the
vulnerability.



From Microsoft TechNet Site:
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/bulletin/MS01-055.asp

Frequently asked questions
Why isn't there a patch available for this issue?

The person who discovered this vulnerability has chosen to handle it
irresponsibly, and has deliberately made this issue public only a few
days after reporting it to Microsoft. It is simply not possible to
build, test and release a patch within this timeframe and still meet
reasonable quality standards.

What's the scope of this vulnerability?

A malicious web site with a malformed URL could read the contents of
a user's cookie which might contain personal information. In
addition, it is possible to alter the contents of the cookie. This
URL could be hosted on a web page or contained in an HTML email.

What causes the vulnerability?

The vulnerability results because of an unsafe handling of cookies
across IE zones.

How would an attacker carry out an attack using this vulnerability?

An attacker could attempt to maliciously exploit this vulnerability
by hosting a page with a maliciously crafted URL. They could also
send the victim an HTML email with a similarly crafted URL.

In the case where the attacker hosted a web page, would he have any
way to compel me to visit the site?

The attacker could not force you to visit his site. Instead, he would
need to entice you into performing some action that would cause you
to visit the site. There are, however, a variety of actions that
could be used to do this, from visiting a web site that would
redirect you to the attacker's, to opening an HTML e-mail that
referenced the attacker's site.

In the case where the attacker sent me an HTML e-mail, would simply
opening the mail allow me to be attacked?

Yes. It is possible for an attacker to craft an HTML email in such a
way that it would exploit this vulnerability on opening the mail.

Why does changing my IE settings help protect me against a mail-borne
attack?

As we mentioned above, HTML e-mails are just web pages sent via e-
mail. Outlook uses the IE security architecture to limit what HTML e-
mails can do when opened. By default, Outlook 2002 opens all HTML e-
mails in the Restricted Sites Zone.

Is this a permanent change?

No. Microsoft is working to develop a patch that will eliminate the
vulnerability. When it's completed, you'll be able to install
the
patch and then return your IE settings to their previous values.

How likely is it that I could be affected by this vulnerability?

It depends on your web browsing and e-mail habits. Customers who
exercise care in choosing the sites they visit, and who are careful
not to open obvious spam and other untrustworthy e-mails would be at
less risk from this vulnerability. However, customers can easily make
a configuration change that will provide complete protection.

What's the configuration change that will protects against this
vulnerability?

Customers who are concerned about this vulnerability should disable
active scripting. All web pages (and HTML e-mails, which are just web
pages delivered via e-mail) are categorized into one of several
zones, and the settings in each zone dictate what actions can be
taken within it. By disabling active scripting in the Internet zone a
user can prevent an attacker from exploiting either the web-borne or
mail-borne versions of this attack.

How do I disable active scripting in Internet Explorer 5.5 and 6.0?


On the Tools menu, click Internet Options, click the Security tab,
and then click Custom Level.
In the Settings box, scroll down to the Scripting section, and click
Disable under "Active scripting" and "Scripting of Java applets".
Click OK, and then click OK again.