Security Hole in Explorer 4.0
Freiburg - 10/16/97 - A dangerous security hole in Internet Explorer
4.0 was detected by Ralf Hueskes of Jabadoo Communications when he
conducted a series of security tests for [3]c't computer magazine.
His tests revealed that it is possible to spy on the contents of any
text and HTML files on somebody else's computer. Not only local files
are in danger, but also data on your company's intranet - even if it
is protected by a firewall.
The security hole exists even if users have activated the highest
security level in their browser. The problem affects both the German
and the English version of the Internet Explorer.
The code needed for infiltrating your files can be hidden in any
normal Web page or in an e-mail message.
Technical Details
The spy pages make use of JScript. If a user accesses a page or
receives an e-mail containing this code, infiltration begins ...
The spy page contains a so-called IFRAME sized 1 by 1 pixel. When a
user accesses the page or opens the e-mail message, a small Jscript
program loads the HTML or text file to be spied on into this frame.
The contents of the frame can then be read using Dynamic HTML and sent
as a parameter hidden in a URL to any Web server in the Internet.
[4]demo page
Protective Measures
According to Ralf Hueskes of Jabadoo Communications, the security hole
exploits an error in the Internet Explorer 4.0 that can be fixed only
by the manufacturer. Microsoft is aware of the problem and will make
available a patch for download from [5]http://www.microsoft.com/ie/ on
October 17th 1997.
Experienced users can protect themselves by completely deactivating
the execution of Active Scripting in the security settings (menu item:
Tools/Options/Security, Settings/Custom (for expert users)/Active
Scripting/Disable) and by using the Security Zones feature in Internet
Explorer 4.0.
More Information
For more information (press only), please contact Ralf Hueskes of
Jabadoo Communications (ralf.hueskes@jabadoo.de). Additional
information can also be found in c't magazine, vol. 12/97 (to be
published on 10/27/97).
Miscellaneous
Trademarks, program names, company names etc. mentioned on this Web
page may be protected by trademark law and international agreements.
Although all information has been verified, we cannot guarantee its
correctness.
_________________________________________________________________
References
1. http://www.jabadoo.de/index.html
2. http://www.jabadoo.de/index.html
3. http://www.heise.de/ct/
4. http://www.jabadoo.de/press/ie4demo.html
5. http://www.microsoft.com/ie/