http://www.newsbytes.com/news/02/176077.html By Brian McWilliams, Newsbytes REDMOND, WASHINGTON, U.S.A., 23 Apr 2002, 12:47 PM CST Security flaws in privacy features added to Microsoft's Web browser could enable attackers to perform several privacy-robbing attacks, including hijacking victims' MSN Messenger accounts, a security researcher warned. According to Thor Larholm, a developer with Denmark-based Internet portal Jubii.dk, "severe" bugs in the "Privacy Report" feature in Internet Explorer version 6 can be exploited "in effect removing all privacy." Last week, Larholm posted an advisory and harmless demonstrations of the flaws at his personal Web site. One example showed how the browser bugs enable a Web site to launch programs that exist on the user's hard disk. Another demo page silently sends a message to users in the target's MSN Messenger contact list. "Hello, my MSN has just been h4><0r3d. However, this is nothing to be worried about. Your MSN is fine. The person who sent this would probably like a reply though, to show that it worked," read the instant message transmitted by Larholm's demonstration. Larholm said the IE flaws also enable an attacker to steal a victim's browser cookies. Cookie files are sometimes used by the browser to authenticate users and allow them to access sites. Larholm did not provide a demonstration of the cookie-stealing exploit. According to Larholm, he notified Microsoft about the IE vulnerabilities on March 18. The researcher said he decided to publicize his findings because he felt Microsoft was not giving the flaws proper consideration. "After a month, they are still only at a stage where they are considering whether to patch it," said Larholm in an interview today. A Microsoft representative said the company was still investigating the issue and declined further comment. Larholm said the security flaws lie in an IE feature for creating dialog windows. The browser fails to perform proper validation checking when a privacy dialog window interacts with a remote site, he said. By clicking an icon in the browser's status bar, IE 6 users can view a privacy report when they visit a site. The report enables users to control how the browser handles cookies from the site and to view its privacy policy. Disabling IE's use of JavaScript prevents the flaws from being exploitable, according to Larholm. In response to Larholm's advisory, GreyMagic Software of Israel said it found similar dialog-related flaws in another IE resource named Analyze.dlg. According to GreyMagic, earlier versions of Microsoft's browser, including IE 5 and IE 5.5, as well as IE 6, are vulnerable to the attack. Larholm's advisory is at / GreyMagic's advisory is at / Microsoft's description of privacy features in IE is at http://www.microsoft.com/windows/ie/evaluation/overview/privacy.asp - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Apr 24 2002 - 01:43:04 PDT