Fix Now Available for "Freiburg" Text-Viewing Issue

Aleph One (aleph1@DFW.NET)
Fri, 17 Oct 1997 19:30:35 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Solar Designer: "WinNT syscalls insecurity"
Previous message: Aleph One: "Jabadoo Security Hack"

http://www.microsoft.com/ie/security/?/ie/security/freiburg.htm

Fix Now Available for "Freiburg" Text-Viewing Issue
This Page Last Updated on October 17, 1997

Microsoft is now providing a fix to protect users' computers against a
potential problem with Internet Explorer 4.0 known as the Freiburg
text-viewing issue, which could allow a malicous Web site to obtain
the contents from a text, HTML, or a graphic image (no other file
types) from a user's hard disk. That information could not be damaged
or manipulated on the user's computer, but it could be viewed.

How to protect your computer: Below you can find out more about this
potential problem. But first, here are two ways to protect your
computer from it:
* [15]Download the patch we just posted, which provides an easy and
complete fix for the problem. (Many thanks to Ralf Hueskes from
[16]Jabadoo Communications in Freiburg, Germany, for reporting the
problem to Microsoft and helping us test this fix.)
* Internet Explorer 4.0's Security Zones feature can be configured
to offer protection against this bug by allowing users to disable
scripting for unfamiliar sites. (From the View menu, choose
Options. Then click the Security tab and select the "Restricted
web sites" zone. Choose Custom, then under the "Active Scripting"
option, choose to disable Active Scripting. Users can add any
unfamiliar sites to this zone and will be protected.)
Administrators can also use Security Zones to prevent this problem
from occurring on their intranet.

Details of the potential problem: The issue could allow a malicious
person to create a Web page that is intentionally designed to exploit
this problem to view the contents of a text file, HTML file, or
graphic image from a user's hard disk. The Web page must be
specifically designed to obtain certain filesto the level of
knowing and including the exact filename and locationand that
file must be an HTML, text, or image file. Even if those conditions
are met, the site cannot destroy or tamper with any data. Again, data
cannot be obtained from any files other than text, image, or HTML.

References

15. file://localhost/msdownload/ieplatform/ie4patch/ie4patch.htm
16. http://www.jabadoo.de/

Next message: Solar Designer: "WinNT syscalls insecurity"
Previous message: Aleph One: "Jabadoo Security Hack"