Re: IE5 Feature/security hole

[yoe () MEDIAONE NET (Eilon Lipton)]

This is getting a bit off-topic, but anybody who is *that* concerned with
the privacy of what they type in their e-mail has two options:
1. Disable the feature in the Options
2. Keep the workstation locked when not present at it

All the main Internet settings, including all the Intelli-whatever stuff are
stored in
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
There is also a key there,
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\SPW
Which has stuff in it such as:
"7* U0D7O=9FN+4 = 0x00000000 (0)
.[JYB C-HQN6EYE = 0x00000000 (0)
And several more.
These appear to be encrypted, but do not ask me how. I have 14 such
oddly-named keys in my registry and I have used this feature quite a lot
(since the betas of IE5). It would be interesting if anybody could find out
how these are encrypted given the data that was encrypted and its encrypted
result.

Anyway, part of my point is that an administrator that is really worried
about his NT system can write a teeny little program that disabled all these
features and even denies user the right to modify these settings via the
registry's security settings.
The other part is that a user on his/her own can protect themselves by
simply disabling this option (same as with the Netscape's "What's related"
thingo, which is also now a feature in IE5, made by the same people,
methinks).
The other other part of my point is that some John Doe cannot just steal the
stored stuff because as you see above that is nowhere near plaintext.

Eilon Lipton
yoe () mediaone net


> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ () netspace org]On Behalf Of Juha Jäykkä
> Sent: Monday, March 29, 1999 1:45 AM
> To: BUGTRAQ () netspace org
> Subject: Re: IE5 Feature/security hole
>
>
> > According to Microsoft, the database (call it what you like)
> where all this
> > information is stored is encrypted, so you cannot just go to a random
> > machine and grab all the data - you must go to a form that has
> the proper
> > field names in order to get the information.
>
>   Blast it! Where does the pass phrase come from? Does IE5 ask the user
> for encryption password when this autofill feature is first used? Does
> IE5 ask the user for decryption password every time this feature is used
> during different sessions? (By session I mean running a program and
> shutting it down. The important thing here is it thus effectively erases
> any memory cache it might have been using - if it remembered the
> password (as programs NEVER must)...) If you answered "no" to any of the
> above, then the password is stored somewhere and it can be retrieved and
> the "secure" encrypted storage decrypted by anyone who has access to the
> machine. This brings us back to square one: anyone with access to your
> IE5 has access to anything you have ever typed in any form.
>   By the way: where exactly are the entries stored? Are they secured
> with proper NTFS permissions or are they just left somewhere in
> %SystemRoot% with Everyone:F permissions so every user would use the
> same file or does every user have a distinct file (not that this would
> help with non-NT windows)?
>   I just wonder, when will we see security in MS products, other than
> NT? I'm becoming really worried... now that NT5 is renamed, I'd not be
> surprised if security had been also lost with the name...
>
> --
> Juha Jäykkä, juhaj () iki fi