RE: Microsoft IE cookies readable via about: URLS

["Per Arne Johansson" <perarne () johansson com>]

> -----Original Message-----
> From: Nick FitzGerald [mailto:nick () virus-l demon co uk] 
> Sent: Friday, November 09, 2001 3:51 PM
> To: bugtraq () securityfocus com
> Cc: Jouko Pynnonen
> Subject: Re: Microsoft IE cookies readable via about: URLS



> A better workaround (assuming that you feel cookies are "relatively 
> useful" and would rather not turn them off) is to put about: URLs 
> into the Restricted Sites zone, as detailed in Andrew Clover's 
> followup to his own post:

>   http://www.securityfocus.com/archive/1/222552

> In short, create a DWORD value named "about" under:

>   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\ProtocolDefaults 

> and set it to 4.

> I just tested this against your test page and with the above value set,
the test tells me "No cookies found for site...". 
> Interestingly, this registry change seems to have almost immediate
effect -- i.e. it did not require a restart or >>>>>logout/login or even

> an IE exit/restart (I did this on Win2K) but occasionally, when 
> running the test page over and over alternating back and forward 
> between having the above value set and not present (the default), the 
> page would work as if the registry value had not yet been changed.


I have tried this workaround it works as described and without a reboot.
However it breaks certain applications that use the "Internet Explorer
Server Window" most notably Yahoo Instant messanger 5. I does not affect
versions 3 or 4. My version of YAIM is 5,0,0,1036.
The effect in short the "Internet Explorer Server Window"  remains blank
not showing the IM texts.

This might be due to poor design om yahoos part, but I am posting it as
it may effect other applications aswell and might not be a good
workaround for all.


Best Regards,

Per Arne Johansson