[ISN] Microsoft Corp. is working on a patch for a patch.

From: mea culpa (jerichoat_private)
Date: Mon Feb 01 1999 - 11:54:47 PST

  • Next message: mea culpa: "[ISN] Usenix Networking '99"

    http://www.zdnet.com/pcweek/stories/news/0,4153,1013784,00.html
    
    Microsoft Corp. is working on a patch for a patch.
    By Jim Kerstetter, PC Week Online
    January 29, 1999 3:25 PM ET
    
    In September, the company issued a patch for a security vulnerability in
    its Internet Explorer browser. The problem, dubbed the Cross Frame
    Navigate Vulnerability, essentially lets a malicious site run a script
    that takes control of a second window on a browser. 
    
    Through that second window, a hacker can peek at particular files on a
    user's hard drive without the user's knowledge. Through the vulnerability,
    a hacker could also display fake content on a trusted Web site and trick
    users out of private information like credit card numbers. 
    
    Microsoft (MSFT) thought it had the problem licked, but a bug hunter in
    Bulgaria named Georgi Guninski found a new way around the patch for the
    original problem. 
    
    "It's not that there was a problem with the fix. It was fine for four
    months," said Michael Nichols, product manager for Microsoft's Personal
    and Business Systems Group. "But someone found a way to get around the
    additional safeguards that we put in." 
    
    Microsoft officials in Redmond, Wash., said they are working on a patch
    for the patch but don't know when it will be completed. 
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:17:50 PDT