Bugtraq mailing list archives
Re: Microsoft IE cookies readable via about: URLS
From: "Jeffrey W. Dronenburg" <dronenjw () us hsanet net>
Date: Fri, 9 Nov 2001 19:08:33 -0500
Nick FitzGerald <nick () virus-l demon co uk> wrote: <snip>
A better workaround (assuming that you feel cookies are "relatively useful" and would rather not turn them off) is to put about: URLs into the Restricted Sites zone, as detailed in Andrew Clover's followup to his own post:
http://www.securityfocus.com/archive/1/222552
In short, create a DWORD value named "about" under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\ProtocolDefaults
and set it to 4.
I just tested this against your test page and with the above value set, the test tells me "No cookies found for site...". Interestingly, this registry change seems to have almost immediate effect -- i.e. it did not require a restart or logout/login or even an IE exit/restart (I did this on Win2K) but occasionally, when running the test page over and over alternating back and forward between having the above value set and not present (the default), the page would work as if the registry value had not yet been changed.
<snip> I validated your test results with Windows 98 SE (4.10.2222A) in a multi-user environment and Internet Explorer 5.5 (5.50.4807.2300IC with SP2; Q306121 installed), both fully patched with latest updates. I also validated your test results with Windows Me (4.90.3000) and Internet Explorer 5.5 (same version as above) and then again after upgrading to IE 6.0 (6.0.2600.0000). In all cases, the registry change did not require a system reboot to take effect. However, when I attempted to validate your test result with IE 5.5 by toggling the registry settings between "0" and "4", I noticed that increasing the security setting takes effect immediately, while reducing it requires a new instantiation of IE and will not take effect in the current window. Changing the registry value from "0" to "4" would change the output results on the test Web page from displaying cookies to reporting "No cookies found for site...". Resetting the value from "4" to "0" had no effect the current instantiation of IE, but the new registry value would take effect upon opening a new IE window, but still not in the previous IE window. (Isn't multi-tasking fun? <smirk>). This wasn't the case with IE 6.0, however. Toggling the registry settings between "0" and "4" took immediate effect in the current window when both increasing and decreasing the setting. Therefore, increasing the cookie security setting will take effect immediately in both IE 5.5 and 6.0 in all open IE windows. Decreasing the setting will only take effect in a new window in IE 5.5 regardless of whether or not the previous windows (including the REGEDIT window) are still open or not. Decreasing the setting in IE 6.0 will have immediate effect and make the browser vulnerable to the exploit. Cool stuff! Thanks, Nick, for reminding us of Andrew's post. Cheers, Jeff Jeffrey W. Dronenburg, Sr. MIS Major, Univ. of Maryland, Univ. College Alpha Sigma Lambda Phi Kappa Phi "A day without learning is like apple pie without ice cream. They're both much sweeter the other way around." -Me! :-)
Current thread:
- Microsoft IE cookies readable via about: URLS Jouko Pynnonen (Nov 08)
- Re: Microsoft IE cookies readable via about: URLS Nick FitzGerald (Nov 09)
- Re: Microsoft IE cookies readable via about: URLS Jeffrey W. Dronenburg (Nov 10)
- RE: Microsoft IE cookies readable via about: URLS Oliver Petruzel (Nov 12)
- Re: Microsoft IE cookies readable via about: URLS Thomas Reinke (Nov 12)
- Re: Microsoft IE cookies readable via about: URLS Valdis . Kletnieks (Nov 12)
- RE: Microsoft IE cookies readable via about: URLS Per Arne Johansson (Nov 12)
- <Possible follow-ups>
- Re: Microsoft IE cookies readable via about: URLS Clover Andrew (Nov 12)
- Re: Microsoft IE cookies readable via about: URLS Kristian Strickland (Nov 14)
- Re: Microsoft IE cookies readable via about: URLS Peter W (Nov 15)
- RE: Microsoft IE cookies readable via about: URLS Kristian Strickland (Nov 15)
- Re: Microsoft IE cookies readable via about: URLS Nick FitzGerald (Nov 09)