Re: Microsoft IE cookies readable via about: URLS

["Clover Andrew" <aclover () 1value com>]

Nick FitzGerald <nick () virus-l demon co uk> wrote:

> This was hinted at in Andrew Clover's message of 19 October

Yes. I noted that "IE incorrectly applies HTTP-style URL parsing to
'about:' URLs", from which I really should have investigated further to
find that in fact it doesn't recognise the difference between http: and
about: at all in the case of cookie access security. My bad - having
found what I considered enough of a hole to require patching, I didn't
go further and find its full potential.

> That's interesting, given they seemed to think there was no
> problem (despite the flaw being obvious to the rest of the
> world) back when Andrew mentioned it...

Well, my exploit was less serious than this, but it was indicative of
brokenness, and I would have expected the IE team to at least
investigate. Instead, Microsoft seemed more interested in arguing
Mitigating Factors. It would be easiest to simply remove the
about-unknown-page-echoing-"feature", since it is of no legitimate use
whatsoever (or at least enforce HTML-escaping on it). I do not expect
the patch for Jouko's more serious exploit to do so, when it's released,
but there's always hope.

> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet 
> Settings\ZoneMap\ProtocolDefaults\about = 4

Indeed, I've been using this a while with no problems, recommend it.

-- 
Andrew Clover
Technical Consultant
1VALUE.com AG