ITrain Homepage

Site Directory
Membership
Train-the-Trainer
Trainer Certification
Certified Training Materials
ITinfo E-zine
Responsible Training
White Papers
Trainer Resources
What's New
Speaking Engagements
Onsite Training
ITrain Gear



Popular Links
Speaking Engagements
Training Manuals
Certification
Train the Trainer
The Training Book
Technical Writing
Privacy Policy

Print this document

Google
Web ITrain.org

Hey, Look What I Found!

IE5 leaves the security door wide open

ITinfo Sponsor

CONTRACT INSTRUCTORS

If you are available for short & long term assignments throughout the USA or worldwide we would like you to register with us.

Xellex has hundreds of Instructors and hundreds of assignments globally. We are seeking all types of certified and uncertified IT instructors.

Alternatively, if you work for a Training Center or an organization that is seeking instructors or consultants we can help you also.

Xellex, Inc.
Certified Contract Instructors & Consultants
888-5-XELLEX or 712-273-5433
training@xellex.com

Microsoft IE5 Allows Websites to Read Private Files

by Dave Murphy
ISSN 1535-3613

Dave Murphy, ITrain founder Microsoft admits that there's a significant security hole in Internet Explorer 5. The problem is reported in it's Security Bulletin MS99-040. The security vulnerability that could allow a website to read a file on the computer of a user visiting the site. The security hole also extends to reading files on other computers connected to the visitors Local Area Network and intranet. The details of this article are excerpted from Microsoft's security bulletin.

This problem lies in the implementation of a feature in IE5 called "Download Behavior." This feature allows webpages to download files for use in client-side script. By design, these files must reside on the same domain as the webserver providing the pages. This restriction prevents client-side script from accessing files from the client PC or the local intranet to the webpage.

A malicious webmaster could use a server-side redirect to bypass the domain restriction. This would allow the website to copy files from the user's machine or the user's local intranet to the web server and read them.

A script is a program, usually one written in a language like Visual Basic or Javascript. Some software is designed to run on the server, while other software is designed to be run by the web browser, also known as a web client. Client-side script is just software designed to be run by the browser.

A server-side redirect is a mechanism that is normally used by webmasters to navigate web browsers to different pages, similar to a "meta refresh". In the case of this exploit, the server-side redirect tricks the download behavior, causing it to download a page from a domain different from that of the web page. If a malicious webmaster knew or could guess the name of a file and its location, it would be possible for him to read the file from the user's computer or the intranet to which it was connected.

As an immediate step, users who are concerned about this vulnerability can safeguard their computers by disabling Active Scripting. To do this, do the following:

  1. In IE5, select Tools | Internet Options, then click on the Security tab.
  2. Select the Internet Zone, then click on the "Custom Level" button.
  3. Under "Scripting", find the entry labeled "Active Scripting" and set it to "Disable."
  4. Click OK twice to return to IE5.

If you visit web sites that rely on Active Scripting, some of their features and functions may not be available. If you need Active Scripting in order to use a site that you trust, you may wish to consider adding the site to the Trusted Zone as follows:

  1. In IE5, select Tools | Internet Options, then click on the Security tab.
  2. Select the Trusted Sites Zone, then click on the "Sites" button.
  3. Type the URL of the site then click on the "Add" button.
  4. Click OK twice to return to IE5.

The patch will deliver a new version of Download Behavior that can only download files from the domain that was the source of the web page that requested the download. When the patch is available, we will re-release the bulletin and post it on our Security Advisor site.

What do you think? Have you experienced a security hack using Internet Explorer? Which browser do you think is most secure: IE5, Navigator, Opera, or another? Leave your comments on the message center.

MS Security Bulletin MS99-040
MS Security Advisor
Message Center

Subscribe to ITinfo.
Receive computing and Internet news & tips
by subscribing to the ITinfo information service.
Type your Internet email address in the form, and click "Subscribe."
Email Address:

Previous issues are on our website at http://itrain.org/itinfo/.

International Association of Information Technology Trainers
PMB 616
6030-M Marshalee Dr
Elkridge, MD 21075-5987

410.567.5366
1.888.290.6200
fax: 801.650.0423
Membership Director: member@itrain.org

Return to ITrain Homepage

Copyright © 2000 International Association of Information Technology Trainers, Ltd., All Rights Reserved

http://itrain.org/itinfo/1999/it990929.html
updated September 29, 1999