Bugtraq mailing list archives
Re: IE5 Feature/security hole
From: juolja () UTU FI (Juha Jäykkä)
Date: Mon, 29 Mar 1999 09:44:52 +0300
According to Microsoft, the database (call it what you like) where all this information is stored is encrypted, so you cannot just go to a random machine and grab all the data - you must go to a form that has the proper field names in order to get the information.
Blast it! Where does the pass phrase come from? Does IE5 ask the user for encryption password when this autofill feature is first used? Does IE5 ask the user for decryption password every time this feature is used during different sessions? (By session I mean running a program and shutting it down. The important thing here is it thus effectively erases any memory cache it might have been using - if it remembered the password (as programs NEVER must)...) If you answered "no" to any of the above, then the password is stored somewhere and it can be retrieved and the "secure" encrypted storage decrypted by anyone who has access to the machine. This brings us back to square one: anyone with access to your IE5 has access to anything you have ever typed in any form. By the way: where exactly are the entries stored? Are they secured with proper NTFS permissions or are they just left somewhere in %SystemRoot% with Everyone:F permissions so every user would use the same file or does every user have a distinct file (not that this would help with non-NT windows)? I just wonder, when will we see security in MS products, other than NT? I'm becoming really worried... now that NT5 is renamed, I'd not be surprised if security had been also lost with the name... -- Juha Jäykkä, juhaj () iki fi
Current thread:
- IE5 Feature/security hole Anthony Pijerov (Mar 24)
- Re: IE5 Feature/security hole Eilon Lipton (Mar 25)
- <Possible follow-ups>
- Re: IE5 Feature/security hole Juha Jäykkä (Mar 28)
- XFree86 3.3.3 on RedHat 5.2. Why is RedHat waiting?? Domas Mituzas (Mar 29)
- Re: XFree86 3.3.3 on RedHat 5.2. Why is RedHat waiting?? sillyhead (Mar 30)
- XFree86 security problem Patrick J. Volkerding (Mar 31)
- Re: IE5 Feature/security hole Eilon Lipton (Mar 29)
- XFree86 3.3.3 on RedHat 5.2. Why is RedHat waiting?? Domas Mituzas (Mar 29)