Browser Security

Recent Updates

News.com: Security hole found in Exchange 2000
Employees who use the Web to get their corporate e-mail could have their in-box deleted by a malicious program.

May 5, 2001: GoHip gets our vote as one of the most annoying programs ever developed. It secretly adds an ActiveX control to your browser that hijacks your home page, adds new menu bars to your browser, delivers unwanted pop-up banners and even changes your email signature. Worse, it can seem impossible to get rid of, if you don't know how: there's no uninstall option in the Add/Remove Control Panel.

Apr. 21, 2001: It may be just a nasty coincidence, but doesn't it seem to you as though, the more Microsoft claims to be focusing on security in its products, the more insidious and frequent the attacks against Microsoft products seem to become? Veteran bug hunter Georgi Guninski has discovered what looks to be one of the most severe vulnerabilities yet discovered, affecting Windows systems. Basically, it has been discovered that, by appending a CLSID to a message, the content of the CLSID can gain access to a machine's registry, delete files, and can even grant administrative permissions to unauthorized users. The scary part is: The CLSID is not displayed in Windows Explorer or Internet Explorer, and gives the impression that the file in question is safe to open. Betanews.com has a discussion of just how serious this is (or isn't, depending on your point of view), while Guninski's site has further details....

Mar. 29, 2001: Yet another security vulnerability has been discovered in Internet Explorer 5.01 SP1 and 5.5 SP1 and this one's a doozy. It turns out that Internet Explorer does not handle MIME (Multipurpose Internet Mail Extensions) headers in HTML e-mails correctly. If a malicious user sends an affected HTML e-mail or hosts an affected e-mail on a Web site, and a user opens the e-mail or visits the Web site, Internet Explorer automatically runs the executable on the user's computer. If this occurs, the executable can take any action on the computer that the user can take, including adding, changing, or deleting data, communicating with Web sites, or reformatting the hard drive. An update is available that eliminates the vulnerability by correcting the way Internet Explorer handles MIME headers in HTML e-mails, preventing e-mails from automatically launching executable attachments. Microsoft's Web site has the details and a fix....

For more information about this vulnerability, read Microsoft Security Bulletin MS01-020.

Mar. 28, 2001: Exchange 2000, IE 5 combo could open door to IE bug. You have to really be looking for trouble to fall victim to the latest security threat discovered by Bulgarian bug hunter Georgi Guninski. You must:

1. Visit a malicious web site
2. Be using IE 5 with Active Scripting enabled
3. Be running Echange 2000
4. Have a user name hackers can guess

If all of these are true, the bug lists the directories of some of the user's servers, possibly allowing the viewing of the person's e-mails or folders. According to CNET, Microsoft's response was that "visiting malicious Web sites is not a real exploit scenario."

Feb. 26, 2001: CNET warns of a Gnutella worm that changes, chameleon-like, to take the name of any file a Gnutella user might be searching for. The worm, which which can also be classified as a Trojan horse due to its sneaky behavior, spreads only via the Gnutella perr-to-peer file-swapping service and is always 8192 bytes, at least in its current incarnation.

Feb. 7, 2001: E-mail "Bug" Could Allow Tracking, notes ZDNet. A recently discovered vulnerability in Netscape Mail, Outlook, and Eudora, could allow an individual to receive your mail, by tagging your e-mail messages with a JavaScript that can have any reply to the message with the script attached, forwarded back to them. Unfortunately, although turning off JavaScript will eliminate the vulnerability on your computer, this "e-mail wiretap" code will still take effect when received by another user who has not turned off the feature. Ewwww!

Dec. 2, 2000: Microsoft has released patches for four security vulnerabilities in Microsoft Internet Explorer 5.x. The “Browser Print Template” vulnerability, says the company, could enable a malicious web site operator to take unauthorized actions on the computer of a user who visited her site.
The “File Upload via Form” vulnerability could enable a malicious web site operator to read files on a visiting user’s computer.
Patches are also available for new variants of the “Scriptlet Rendering” and “Frame Domain Verification” vulnerabilities, both of which could enable a malicious web site operator to read files on a visiting user’s computer. See Microsoft.com's Critical Updates for IE section for details. Frequently asked questions regarding these another other vulnerabilities and patches can be found at http://technet.microsoft.com/en-us/security/default.aspx

Nov. 23, 2000: Microsoft Security Bulletin (MS00-090) - Patch Available for ".ASX Buffer Overrun" and ".WMS Script Execution" Vulnerabilities. These security holes affect Microsoft's Windows Media Player. In the first situation, the ASX redirector file (essentially, a text file pointing to another URL) has an unchecked buffer that is subject to a vulnerability that could cause a malicious program to be executed. In the second case, a Windows Media Player 7 "skin" could contain code which, when the skin is selected, could in turn invoke a malicious ActiveX control.

• The “ASX Buffer Overrun” vulnerability affects both Windows Media Player 6.4 and 7.
• The “WMS Script Execution” vulnerability affects only Windows Media Player 7

Oct. 18, 2000: Another security hole in a Microsoft product? What a surprise! Say, what's that sound? Oh, it's just the Linux fans laughing their asses off. CNET notes an IE 5.5 email hole that lets hackers read files.

Oct. 6, 2000: Another week, another IE security flaw discovered by Georgi Guninski. You can tell Microsoft is getting ticked at the guy. In a CNET article discussing the latest issue, a Microsoft spokesperson comments on Guninski's 24-hour "advance warning" policy. "That's not enough time," the Microsoft representative said. "Our biggest concern is that in a worst case scenario, it puts the customer at risk. The information is out there, and the bad guys can get their hands on it. In the best situation, it's unnecessarily spinning people up." Guninski has been presenting his findings to Microsoft 24 hours before he advises the BugTraq mailing list of potential security risks.

Sept. 26, 2000: Yet another security hole in IE 5.5 could let hackers into your personal records, reports CNET. Exploiting previously exploited weakness in the browser's ActiveX security, the new technique was discovered by Bulgarian bug hunter Georgi Guninski. With a suitably booby-trapped website, a thief could, for example, swipe someone's eBay cookie and then gain total access to that user's private eBay account. The bug requires attackers to know the name a specific file on your system, however. As usual, disabling ActiveX functionality provides a workaround.

Aug. 24, 2000: Just because a site (or a magazine!) says it's secure doesn't mean it is. ZKey, a popular "information portal" once awarded a ZD editor's choice award, has been hacked using nothing more than a bit of JavaScript code. The hacking code, along with notes about its development, can be viewed here. Wired.com has details.

Aug. 11, 2000: CERT Advisory CA-2000-15 describes a recently-discovered Java security hole: "Netscape Communicator and Navigator ship with Java classes that allow an unsigned Java applet to access local and remote resources in violation of the security policies for applets."

Aug. 7, 2000: "Bugs afflict Microsoft, Netscape, Sun" claims CNET, although it's a stretch to blame Sun for Netscape's buggy Java implementation. The Microsoft security holes must present a quandary for the company. They're obscure enough that it takes a number of preconditions to be in place (including ignoring warnings and not using a firewall) and fixing the problem will mean further crippling of the Internet functionality of Microsoft's Office apps. Chalk up another one for Bulgarian bug hunter Georgi Guninski.

Aug. 6, 2000: "Adobe Acrobat bug puts users at risk," notes vnunet.com.

In other browser-related security news, AOL says it will remove a "spying" component from versions of Netscape SmartDownload that has led some users to file a lawsuit against the company. Reuters has details.

July 14, 2000: Famed Bulgarian bug hunter Georgi Guninski, who earlier this week demonstrated a computer security bug affecting Microsoft Excel, has demonstrated an issue in Microsoft's just-released Internet Explorer 5.5. The problem stems from an ActiveX component, present in the new browser release and older versions, which allows Web authors to add automated page editing features to their sites. Unfortunately, such issues, when fixed, reduce functionality on the browser, which has led Microsoft to refrain from promising to fix the issue. Instead, the company says it is "investigating."

July 3, 2000: Microsoft has patched a security hole that exploits a flaw in the company's "Active Setup Download" technology. See Microsoft's Security bulletins page for details.

June 21, 2000: Internet Explorer 5.01 Service Pack 1 (SP1) is now available. According to Microsoft, it provides the latest updates and security fixes to the Internet Explorer technology. Internet Explorer 5.01 SP1 can be installed as an upgrade to existing versions of Internet Explorer, or on computers with no previous Internet Explorer installation.

June 8, 2000: New hacker program targets cable modems, DSL, note CNet. The program, disguised as a movie clip, is poised to produce a massive denial of service attack and was tested for the first time on June 7th.

June 6, 2000: Internet Explorer security alert: Infoworld notes a flaw that could allow an attacker to trick users into disclosing information, such as credit-card numbers and personal data intended for legitimate Web sites. Microsoft's Security Bulletins page provides details.

May 17, 2000: Bug hunter Ben Mesander has posted a demonstration of a bug that affects Microsoft Internet Explorer 5 for the Macintosh. The method in which IE 5 interacts with Apple's Java Virtual Machine (JVM) software allows the bug to do its damage. According to Mesander, the bug also affects networks that have a firewall in place. News.com has details.

May 4, 2000: Netscape has released Communicator 4.73  to address security issues. According to the company, key changes includes fixes for the "JavaScript Cookie Exploit" and "Acros-Suencksen SSL Vulnerability" issues [see Netscape security notes]. No other changes were made from the 4.72 release.

Feb. 4, 2000: A bug in the Java Virtual Machine from Microsoft could allow hackers to steal files, claims Betanews.com. The bug affects users of IE 4, 5, and 5.01 that have the (optional) Microsoft Java VM activated.

Feb. 3, 2000: Microsoft says it plans to publish step-by-step instructions on its Web site to address "cross-site scripting," a new Web security threat that could allow hackers to access information or launch malicious programs on your computer. A c|net article describes the the risks. Other browser developers are expected to develop workarounds for this security threat, which computer security analysts describe as "serious."

Dec. 23rd:
http://www.microsoft.com/protect/computer/updates/bulletins/default.mspx notes several new security bulletins, including patches for Outlook Express for Mac and  a patch that  it says eliminates a vulnerability in Microsoft Internet Information Server and other products that run atop it. Under certain conditions, the vulnerability could cause a web server to send the source code of .ASP and other files to a visiting user. Microsoft has also released a patch that eliminates a vulnerability in Microsoft Internet Information Server and products that run atop it. The vulnerability could allow files on a web server to be specified using an alternate representation, in order to bypass access controls of some third-party applications. New

Dec. 4th:
Macintouch notes a spam cookie trick that allows junk mailers to obtain your email address without your knowledge. New

Nov. 30th:
Security Upgrade: Microsoft has released a patch that eliminates a security vulnerability in Microsoft Windows 95 and 98 caused by a legacy mechanism for caching network security credentials. The vulnerability could allow a user's plaintext network password to be retrieved from the cache. Fixes are posted for both Windows 95 and Windows 98. For details, see: Microsoft Security Bulletin (MS99-052) - Patch Available for "Legacy Credential Caching" Vulnerability

Also new: Microsoft Security Bulletin (MS99-051) notes that a patch is available for "IE Task Scheduler" vulnerability.

Nov. 13th:
Bug Fix: Microsoft has released patches for the "File Access URL" vulnerability noted here on Nov. 12th. The company says the problem lay in Windows' networking software; fixes are posted for both Windows 95 and Windows 98.Nov. 13th:
Security Alert: Microsoft has flagged a security threat in the Macintosh version of Outlook Express 5, reports MacWEEK. Until Microsoft comes up with a solution, it recommends not opening any downloaded file you do not know the source of.

Nov. 12th:
Bug Fixes: Microsoft has released a  patch for a security flaw in Internet Explorer versions 4.0 and 5.0, that could allow malicious code disguised as another type of file (e.g.,  ".jpg," ".mov" or ".txt") to launch and execute when received as an email as attachment. The company also released a  revised patch for a previously released bug-fix, as noted here on Oct. 12th. Also planned for release is a patch for a so-called "File Access URL" buffer overrun situation that can cause Windows to crash if the URL address bar is fed more characters than it can handle. The characters that didn't fit into the URL entry field go into the computer's memory, where they may be executed when the computer is restarted. Diabolical, indeed. News.com has details....

Oct. 12th:
Security Alert: The IE 5 security model normally restricts the Document.ExecCommand() method to prevent it from taking inappropriate action on a user’s computer. However, at least one of these restrictions is not present if the method is invoked on an IFRAME.

Oct. 3rd:
Security Alert: Bulgarian hacker exposes IE5 'Download Behavior' privacy peephole; Netscape is unscathed. (from Bugnet)
Solution: Pending a patch from Microsoft, disable Active Scripting, as described in a list of frequently asked questions posted by Microsoft. A Security Bulletin provides additional details.

Sept 29th:
Security alert: The ImportExportFavorites feature of versions 4.01 and 5.0 of IE could allow a malicious Web site operator to potentially take any action on the computer that the user would be capable of taking.
Solution: Install Microsoft's patch, released Sept. 24th, to eliminate the problem. Alternatively, disable Active Scripting, as described in a list of frequently asked questions posted by Microsoft.

See http://www.microsoft.com/protect/computer/updates/bulletins/default.mspx for details on the latest issues affecting Microsoft products.

Earlier Web Browser issues
In May 1999, AnchorDesk Technical Director Jon DeKeles discovered a security flaw in Internet Explorer 5.0 that has been confirmed and subsequently patched by Microsoft. But, of course, not everyone keeps their browser up to date. Jon says your Web surfing is easily exposed if you browse with IE 5 on a Windows 98 platform. Here's how it works: You legitimately go to a secure Web site, giving your login and password. You cruise the site. The pages you visit are stored in your cache. You log off and leave your computer thinking you're safe. But you're not. The next person who sits at your machine can easily return to those sites. When prompted for your password, the snoop merely presses "cancel," the "back" button, the "forward" button, and presto -- he can go wherever you've been online. Jon says the Web site must be using Unix' "htaccess." There is, however, a sure fix: Clear your cache whenever you leave your machine. Later that year, News.com documented a security hole and several other issues found in IE during 1999.