Re: Microsoft IE cookies readable via about: URLS

["Jeffrey W. Dronenburg" <dronenjw () us hsanet net>]

Nick FitzGerald <nick () virus-l demon co uk> wrote:

<snip>
> A better workaround (assuming that you feel cookies are "relatively
> useful" and would rather not turn them off) is to put about: URLs
> into the Restricted Sites zone, as detailed in Andrew Clover's
> followup to his own post:

>    http://www.securityfocus.com/archive/1/222552

> In short, create a DWORD value named "about" under:

>   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\ProtocolDefaults

> and set it to 4.

> I just tested this against your test page and with the above value
> set, the test tells me "No cookies found for site...".
> Interestingly, this registry change seems to have almost immediate
> effect -- i.e. it did not require a restart or logout/login or even
> an IE exit/restart (I did this on Win2K) but occasionally, when
> running the test page over and over alternating back and forward
> between having the above value set and not present (the default), the
> page would work as if the registry value had not yet been changed.

<snip>

I validated your test results with Windows 98 SE (4.10.2222A) in a
multi-user environment and Internet Explorer 5.5 (5.50.4807.2300IC with SP2;
Q306121 installed), both fully patched with latest updates.  I also
validated your test results with Windows Me (4.90.3000) and Internet
Explorer 5.5 (same version as above) and then again after upgrading to IE
6.0 (6.0.2600.0000).

In all cases, the registry change did not require a system reboot to take
effect.

However, when I attempted to validate your test result with IE 5.5 by
toggling the registry settings between "0" and "4", I noticed that
increasing the security setting takes effect immediately, while reducing it
requires a new instantiation of IE and will not take effect in the current
window.  Changing the registry value from "0" to "4" would change the output
results on the test Web page from displaying cookies to reporting "No
cookies found for site...".   Resetting the value from "4" to "0" had no
effect the current instantiation of IE, but the new registry value would
take effect upon opening a new IE window, but still not in the previous IE
window.  (Isn't multi-tasking fun?  <smirk>).

This wasn't the case with IE 6.0, however.  Toggling the registry settings
between "0" and "4" took immediate effect in the current window when both
increasing and decreasing the setting.

Therefore, increasing the cookie security setting will take effect
immediately in both IE 5.5 and 6.0 in all open IE windows.  Decreasing the
setting will only take effect in a new window in IE 5.5 regardless of
whether or not the previous windows (including the REGEDIT window) are still
open or not.  Decreasing the setting in IE 6.0 will have immediate effect
and make the browser vulnerable to the exploit.

Cool stuff!  Thanks, Nick, for reminding us of Andrew's post.

Cheers,
Jeff

Jeffrey W. Dronenburg, Sr.
MIS Major, Univ. of Maryland, Univ. College
Alpha Sigma Lambda
Phi Kappa Phi

"A day without learning is like apple pie without ice cream.  They're both
much sweeter the other way around." -Me! :-)