Bugtraq mailing list archives
Re: Minor IE vulnerability: about: URLs
From: Pedro Miller Rabinovitch <pedro () ciphertech com br>
Date: Fri, 19 Oct 2001 19:47:07 -0200
At 17:13 +0200 19.10.01, Clover Andrew wrote:
Versions: Assume all versions of IE/Win are vulnerable. Status of IE under other platforms is unknown. Versions tested: 4.72.3612.1713 (SP2; 3283) 5.00.3315.1000 (SP2) 5.50.4522.1800 6.0.2600.0000
I've confirmed the bug in the above. In MacOs 9.1, IE5 and IE4.5 do not expose the hidden about: 'feature'. Thus, they don't seem to be vulnerable. As a U.S. Senator recently said (as quoted by Wired magazine) on the whole security problem: "Use a Mac." ;-) (please take this comment with a truckload of salt. I *am* j/k)
A Microsoft chap pointed out that sites can already break out of the Restricted Sites Zone, simply by pointing at another site that is not in that Zone.
Compare the effort on both fronts. I agree with Clover's comments.
Regards,
Pedro.
--
Pedro Miller Rabinovitch
Diretor de Tecnologia
Cipher Technology
21-2579-3999
www.ciphertech.com.br
_____
"Segurança em TI - uma especialidade Cipher Technology"
Current thread:
- Minor IE vulnerability: about: URLs Clover Andrew (Oct 19)
- Re: Minor IE vulnerability: about: URLs Nick FitzGerald (Oct 19)
- Re: Minor IE vulnerability: about: URLs Julian Hall (Oct 23)
- Re: Minor IE vulnerability: about: URLs Pedro Miller Rabinovitch (Oct 19)
- Re: Minor IE vulnerability: about: URLs Simon Kornblith (Oct 20)
- <Possible follow-ups>
- Re: Minor IE vulnerability: about: URLs Clover Andrew (Oct 24)
- Re: Minor IE vulnerability: about: URLs Nick FitzGerald (Oct 19)