Internet Explorer 3.0 Security Problem

Bob Craigmile librlc at emory.edu
Mon Aug 26 16:29:33 EDT 1996


FYI.  Hope this isn't redundant.

>----------------------------Original message----------------------------
>>From the "comp.risks" USENET forum....
>
>Date: Wed, 21 Aug 1996 13:12:59 -0400
>From: felten at CS.Princeton.EDU (Ed Felten)
>Subject: Internet Explorer Security Problem
>
>We have discovered a security flaw in the current version (3.0) of
>Microsoft's Internet Explorer browser running under Windows 95.  An attacker
>could exploit the flaw to run any DOS command on the machine of an Explorer
>user who visits the attacker's page.  For example, the attacker could read,
>modify, or delete the victim's files, or insert a virus or backdoor entrance
>into the victim's machine.  We have verified our discovery by creating a Web
>page that deletes a file on the machine of any Explorer user who visits the
>page.
>
>The core of the attack is a technique for delivering a document to the
>victim's browser while bypassing the security checks that would normally be
>applied to the document.  If the document is, for example, a Microsoft Word
>template, it could contain a macro that executes any DOS command.
>
>Normally, before Explorer downloads a dangerous file like a Word document,
>it displays a dialog box warning that the file might contain a virus or
>other dangerous content, and asking the user whether to abort the download
>or to proceed with the download anyway.  This gives the user a chance to
>avoid the risk of a malicious document.  However, our technique allows an
>attacker to deliver a document without triggering the dialog box.
>
>Microsoft has been notified and they are working on fixing the problem.
>Until a remedy is widely available, we will not disclose further details
>about the flaw.
>
>For more information, contact Ed Felten at felten at cs.princeton.edu or
>609-258-5906.
>
>Dirk Balfanz and Ed Felten
>Dept. of Computer Science, Princeton University
>http://www.cs.princeton.edu/sip/
>
>ÿÿ    Internet Explorer 3.0 Security Problem
>
>
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Bob Craigmile, Reference Librarian
Pitts Theology Library, Emory University
librlc at emory.edu | http://www.pitts.emory.edu/bob/bob.html
404.727.1221 (w)  404.378.6388  (h)



More information about the Web4lib mailing list