[ISN] Macintosh Users Warned Of IE 5.1 Browser Security Hole

From: InfoSec News (isnat_private)
Date: Fri Oct 26 2001 - 02:55:43 PDT

  • Next message: InfoSec News: "[ISN] Error and attack tolerance of complex networks"

    By Steven Bonisteel, Newsbytes
    24 Oct 2001, 11:40 AM CST
    Some users of the Apple Macintosh OS X operating system and
    Microsoft's Internet Explorer browser are being warned that
    downloading certain kinds of files could open a security hole in their
    Redmond, Wash.-based Microsoft announced in a security bulletin
    Tuesday that the combination of OS X and version 5.1 - and possibly
    earlier versions - of its IE browser allows executable programs
    encoded as BinHex and MacBinary files to run automatically after being
    The vulnerability could allow a hacker to deliver a malicious program
    to unsuspecting users who download the file from an Internet server.
    The MacBinary format is designed to permit the resource and data forks
    associated with many Macintosh files to be transmitted via modem or
    network links in a single package. BinHex allows binary files to be
    encoded as plain-text files suitable for transfer by e-mail.
    Applications for Apple's operating systems are frequently served up
    using Web and FTP (file transfer protocol) servers employing a
    combination of both formats.
    Microsoft said users can easily disable the execution of programs
    downloaded in those formats by changing settings within the IE browser
    that would disable the automatic decoding of BinHex and MacBinary
    files. However, it said, automatic decoding is currently the default
    The company said the problem may also exist in versions of the
    Explorer browser prior to 5.1, but, since earlier versions of the
    browser for Mac OS X are not supported by Microsoft, they were not
    More information and a patch to fix the problem can be found here:
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Oct 26 2001 - 07:47:30 PDT