Internet Explorer 3.0 Security Problem

CHAPIN Newt R Newt.R.CHAPIN at CI.Eugene.OR.US
Mon Aug 26 17:32:00 EDT 1996 

There's a patch already out from Microsoft.  See 
http://www.microsoft.com/ie/download/ for information and to download the 
patch for IE 3.00.

Newt Chapin
 ----------
From: web4lib
To: Multiple recipients of list
Subject: Internet Explorer 3.0 Security Problem
Date: Monday, August 26, 1996 1:57PM

FYI.  Hope this isn't redundant.

>----------------------------Original message----------------------------
>>From the "comp.risks" USENET forum....
>
>Date: Wed, 21 Aug 1996 13:12:59 -0400
>From: felten at CS.Princeton.EDU (Ed Felten)
>Subject: Internet Explorer Security Problem
>
>We have discovered a security flaw in the current version (3.0) of
>Microsoft's Internet Explorer browser running under Windows 95.  An=
 attacker
>could exploit the flaw to run any DOS command on the machine of an Explorer
>user who visits the attacker's page.  For example, the attacker could read,
>modify, or delete the victim's files, or insert a virus or backdoor=
 entrance
>into the victim's machine.  We have verified our discovery by creating a=
 Web
>page that deletes a file on the machine of any Explorer user who visits the
>page.
>
>The core of the attack is a technique for delivering a document to the
>victim's browser while bypassing the security checks that would normally be
>applied to the document.  If the document is, for example, a Microsoft Word
>template, it could contain a macro that executes any DOS command.
>
>Normally, before Explorer downloads a dangerous file like a Word document,
>it displays a dialog box warning that the file might contain a virus or
>other dangerous content, and asking the user whether to abort the download
>or to proceed with the download anyway.  This gives the user a chance to
>avoid the risk of a malicious document.  However, our technique allows an
>attacker to deliver a document without triggering the dialog box.
>
>Microsoft has been notified and they are working on fixing the problem.
>Until a remedy is widely available, we will not disclose further details
>about the flaw.
>
>For more information, contact Ed Felten at felten at cs.princeton.edu or
>609-258-5906.
>
>Dirk Balfanz and Ed Felten
>Dept. of Computer Science, Princeton University
>http://www.cs.princeton.edu/sip/
>
>=FF=FF    Internet Explorer 3.0 Security Problem
>
>
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+
Bob Craigmile, Reference Librarian
Pitts Theology Library, Emory University
librlc at emory.edu | http://www.pitts.emory.edu/bob/bob.html
404.727.1221 (w)  404.378.6388  (h)

More information about the Web4lib mailing list