WSJ: Microsoft Acknowledges Browser Flawgreenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread |
WIRE:05/15/2000 07:11:00 ET WSJ: Microsoft Acknowledges Browser FlawNEW YORK (Reuters) - Microsoft Corp. (MSFT.O) has acknowledged a flaw in its popular Internet browser that could let hackers steal "cookies," sensitive files e-commerce sites use to track and conduct business with customers online, a report in the Wall Street Journal said on Monday.
The browser flaw could be worrisome because it gives hackers relatively easy access to the sensitive data sometimes contained in and accessed through cookies, and because it could affect such a large group-those who use the two most recent versions of Microsoft's Web browser, roughly two-thirds of Web users, according to the article.
http://abcnews.go.com/wire/US/reuters20000515_748.html
-- Martin Thompson (mthom1927@aol.com), May 15, 2000
Microsoft Confirms IE Bug, No Fix In Sight 2:41 p.m. ET (1841 GMT) May 19, 2000 By Rutrell Yasin Microsoft is scrambling to put together a patch that will address the latest security flaw discovered this week in its Internet Explorer browser. The flaw lets hackers track websites IE users visit and even redirect them to other sites through cookies.Bennett Haselton, an anti-Internet censorship activist with Peacefire.org, Seattle, discovered the browser problem after exposing security flaws through Hotmail, Microsoft's free e-mail service.
A Microsoft spokeswoman acknowledged the latest discovery.
"The vulnerability allows a malicious site to read, change, or delete cookies that belong to other sites," she said.
However, the hacker has to entice the user to come to the malicious site, the spokeswoman said.
She gave no time frame for when the company would issue a patch.
Haselton said any website that uses cookies to authenticate users or store private information could have cookies exposed by IE and intercepted by a third-party website.
For example, an intruder can intercept a cookie set by Hotmail or Yahoo Mail to break into a visitor's e-mail account since those sites use cookies for authentication. Additionally, a hacker could impersonate an Amazon.com user by using his cookie since it contains a user's name, e-mail address, and the user's list of recommended titles.
However, an intruder wouldn't have access to a user's credit card number or list of Amazon.com orders since this information requires a password that is not in the cookie, Peacefire.org said.
BugNet, a watch group that tracks software vulnerabilities, hasn't issued an alert on the IE flaw because it is still conducting tests to validate the claims, said Eric Bowden, general manager of BugNet, Lindon, Utah.
However, BugNet reported a security fix designed to close a denial-of- service vulnerability discovered in Microsoft's Internet Information Server (IIS) versions 4 and 5 doesn't work.
The hole, originally reported by the Underground Security Systems Research (USSR) organization last month, "uses a malformed data extension in the URL to peg IIS CPU utilization at 100 percent" that could slow down or bring the Web server to a halt, Bowden said.
The Microsoft patch, posted on May 11, doesn't fix the vulnerability as originally reported by USSR, Bowden said. Based on testing and after talking with Microsoft, there is no protection from this vulnerability, he said. Since the exploiting executable code is available from USSR's website, all IIS servers are at risk, BugNet said.
) 2000 CMP Media Inc
http://www.foxnews.com/vtech/051900/msiebug.sml
-- Martin Thompson (mthom1927@aol.com), May 21, 2000.