Posted on 11/09/2001 10:40:49 AM PST by toupsie
IE security hole leads to cookie jar
By Stefanie Olsen
Staff Writer, CNET News.com
November 9, 2001, 11:05 a.m. PT
http://news.cnet.com/news/0-1005-200-7828689.html?tag=prntfr
Microsoft has warned that versions of Internet Explorer can expose consumers' personal data contained within cookies.
The vulnerability exists within IE 5.5 and 6.0, but earlier browser editions "may or may not be affected," according to a security bulletin posted to Microsoft's Web site Thursday. The security flaw allows an outsider to break into cookies--tiny electronic files used by Web sites to file account information or personalize pages--through a specially crafted Web page or e-mail. A person could then steal or alter data from Web accounts, including credit card numbers, usernames and passwords.
"A malicious Web site with a malformed URL could read the contents of a user's cookie, which might contain personal information," according to the Redmond, Wash.-based company. "In addition, it is possible to alter the contents of the cookie. This URL could be hosted on a Web page or contained in an HTML e-mail."
The vulnerability comes only a week after security flaws were found in Microsoft's Passport authentication system, causing the software maker to remove the service from the Internet. The privacy breach in the Passport service, which keeps track of data used by e-commerce sites, potentially exposed the financial data of thousands of consumers, undermining the company's recent efforts to convince people that it is serious about security.
Privacy and security expert Richard Smith verified the IE security flaw by writing a tiny bit of JavaScript to hijack information contained in a cookie.
"I couldn't believe how easy it is," Smith said. "The danger here is that once you get somebody's cookie information for a particular Web site, you can get access to that account, whether it's private financial information or travel records."
Microsoft, which labeled the security problem "high" risk, said it is working on a patch. Meanwhile, the company is urging IE users to disable active scripting in the their browser settings. In addition, consumers using Outlook Express should set their preferences within the mail program to allow only "Restricted Sites" to load, according to the company.
To disable active scripting in IE, open the Tools menu in the browser, followed by Internet Options and then the tab for Security. Next, open the Custom Level option; in the Settings box, scroll down to the Scripting section. Click Disable under "Active scripting" and "Scripting of Java applets." Click OK, and then click OK again.
On a side note, Apple actually made its own distro of Linux in the mid-90s called MkLinux. It was a test bed for the mach kernel that is used in Mac OS X.
Macs suck.
Cheers, CC :)
Well you most certainly are not a genius because you don't have a clue how a Macintosh works. The Mac I am using right now has 6 mouse buttons on my trackball that's 4 more buttons than a standard PC mouse. So if the number of mouse buttons makes an OS better by your logic, PCs really suck. Plus on my Mac, all I have to do to change text to BOLD is select the text and say "Bold". The built in Speech Input system in a Macintosh is amazing. I can almost voice control the entire operating system and applications. That isn't some add on but something that is built into the Operating System.
There's competition! Why not try Opera?
As for security risks, it is foolish to point fingers at other platforms too much.
Security requires further vigilance than relying on your computer maker to keep the bad guys out.
Up till now we in the Mac community have been "lucky" that our systems and AppleTalk networking
were not prevalent among hackers.
That has drastically changed with the freeBSD underpinnings in our OS.
From known problems in the 'NIX community with Apache and Perl/cgi to new issues with Apple's
implementation of iDisk we need to stop pointing fingers and start rooting out our own problems.
my .02
iMacs come with ONE button...in fact, I think all of them come with ONE button. Stupid design. Most techs I know agree wholeheartedly.
Yep, these are the 4% who probably SHOULD be using Macs.
An expensive and unnecessary move imo. I got a linux virtual root trojan via a Windows '98 HD while booted in Windows. Some viruses are made to load vai Windows and attack linux and vice-versa since they can pass unrecognized thru each OS's virus scanner.
My solution was to dump '98; write 0s to the linux HD; reload Mandrake 8.1 and put XPpro (fat32) on the zeroed-out Windows drive and reload my database. Worked like a charm. The name of the virus was CodeRed.C. It's an NT4-based virus. It has 3 NT4 payloads and uses the 2000 Server exploit simply for transmission.
The NT5 OSs are nice though. However, you can pay $400 for XPpro's protected memory and file system or get the same for free using Mandrake 8.1 with JFS:Reiser partitioning.
And there's your problem. Macs are not designed for techs, they are designed for normal people. You and I have no trouble with 5-button mice and scroll wheels, but not everyone is as comfortable with computers. Macs are designed to be completely usable with one button, while taking advantage of extra buttons if available, which seems like a good decision to me. I do agree that the "professional" Mac models (G4 towers) should ship with a multi-button mouse, but it's a minor quibble.
Do any of these "techs" actually know how a Macintosh operates or are they the typical tech that only supports what their $5,000 MSCE course taught them? And what is a tech? Someone that works for me, an Administrator. If you are focused on the number of buttons on your mouse, it sounds like a personal problem. The fewer number input devices required to run a computer is better not more. A computer is supposed to reduce work load not increase confusion.
Have you tried out ext3? I am having fun with my backup database server pushing a high load on it and pulling the power plug on it to see it recover without skipping a beat. I have to try out JFS:Reiser.
I would have to disagree. Mac OS X is perfect for "Techs". The power of BSD/UNIX with the ease and speed of Mac. DROOL!!!
I tried to break JFS:Reiser on Mandrake 8.1beta2 and succeeded on the second attempt. The reworked JFS:Reiser for 8.1final survived 3 attempts so I'm using that now (along with XPpro on another channel). They're both great imo but Linux's security is (of course) better since it's not shell based.
If OS X is programmable, and I wanted to get it, what is the best system to go for? Is it upgradeable/tweakable?
Can you post links to some info and impartial reviews?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.