[ISN] Microsoft Corp. is working on a patch for a patch.

From: mea culpa (jerichoat_private)
Date: Mon Feb 01 1999 - 11:54:47 PST

  • Next message: mea culpa: "[ISN] Usenix Networking '99"

    Microsoft Corp. is working on a patch for a patch.
    By Jim Kerstetter, PC Week Online
    January 29, 1999 3:25 PM ET
    In September, the company issued a patch for a security vulnerability in
    its Internet Explorer browser. The problem, dubbed the Cross Frame
    Navigate Vulnerability, essentially lets a malicious site run a script
    that takes control of a second window on a browser. 
    Through that second window, a hacker can peek at particular files on a
    user's hard drive without the user's knowledge. Through the vulnerability,
    a hacker could also display fake content on a trusted Web site and trick
    users out of private information like credit card numbers. 
    Microsoft (MSFT) thought it had the problem licked, but a bug hunter in
    Bulgaria named Georgi Guninski found a new way around the patch for the
    original problem. 
    "It's not that there was a problem with the fix. It was fine for four
    months," said Michael Nichols, product manager for Microsoft's Personal
    and Business Systems Group. "But someone found a way to get around the
    additional safeguards that we put in." 
    Microsoft officials in Redmond, Wash., said they are working on a patch
    for the patch but don't know when it will be completed. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:17:50 PDT