Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IE exposing URLs to msn.com and alexa.com?

From: shimi <shimi () shimi net>
Date: Thu, 19 Jun 2003 19:54:05 +0300 (IDT)

That's nothing. 404 errors, all of them, are reported to MSN with their 
"autosearch" feature, which, of course, passes a referrer...

On Tue, 17 Jun 2003, Stewart Smith wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Has anyone been able to verify this?

http://www.secunia.com/advisories/8955/

Internet Explorer Exposes Sensitive Information

Release Date:
2003-06-06

Critical:
Moderately critical

Impact:
Exposure of sensitive information

Where:
 From remote

Software:
Microsoft Internet Explorer 6

Description:
A vulnerability has been identified in Internet Explorer, which exposes 
sensitive information to "msn.com" and "alexa.com".

  While this is a known "feature" when the "Show Related Links" option 
is activated in Internet Explorer, there is a bug, so that Internet 
Explorer will keep transmitting the information to "msn.com" and 
"alexa.com" after "Show Related Links" has been de-activated. This 
occurs whenever "Ctrl+R" is used to reload a page.

  To make matters worse, it has been confirmed that this behaviour also 
affects SSL enabled pages. One thing is that Microsoft has chosen to 
make a "feature", which reveals this information to "msn.com" and 
"alexa.com", but the fact that information, which was supposed to be 
protected by SSL and sent only to one site, is sent in plain text to a 
third party ("msn.com" and "alexa.com") is of great concern.

  The data transmitted to "msn.com" and "alexa.com" is the complete URL. 
In some cases this could contain sensitive information such as 
username, password, session id, search string, "secret paths", and more.

  The vulnerability has been confirmed for Internet Explorer 6 on 
Windows 2000 and Windows XP with all Service Packs and hotfixes.

  It is Microsoft that controls who else than "msn.com" should receive 
this information. Microsoft could at any time choose to send this 
information to another party than "alexa.com".



Solution:
We recommend that you filter traffic at your perimeter so that no data 
may be sent to "msn.com" and "alexa.com".

  Make sure that you don't use the "Show Related Links" feature or that 
you close your browser after you have used it.

  For other alternative solutions see "Other References".



Reported by / credits:
Mike Shepherd



Changelog:
2003-06-09 Minor correction. Added link to alternative solutions.



Other References:
http://www.imilly.com/alexa.htm#subvert

Stewart Smith
stewart () gammasolutions com
Programmer / UNIX Sys Admin

Gamma Solutions Pty Ltd
Monash Corporate Centre,
Unit 11, 20 Duerdin Street,
Clayton, Victoria 3168
Phone:  +61 3 9562 7755
Fax:    +61 3 9562 7766
Mobile: +61 4 3884 4332
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+7mZZFtJC9tN9SokRAo1zAJ93g0roDJlfeZXSI5CQXY99X5t+ZgCgl9Wq
kK3vp6lnViXndwoYPkXrj0E=
=3zvI
-----END PGP SIGNATURE-----



-- 

  Best regards,
     Shimi


----

   "Outlook is a massive flaming horrid blatant security violation, which
    also happens to be a mail reader."

   "Sure UNIX is user friendly; it's just picky about who its friends are."
Previous By Date Next
Previous By Thread Next

Current thread: