IP: Microsoft Breaks Netscape Rule In New Security Flaw

[David Farber <dave () farber net>]

> Date: Mon, 07 Jan 2002 12:55:02 -0500
> To: farber () cis upenn edu
> From: Brian McWilliams <brian () pc-radio com>
> Subject: Microsoft Breaks Netscape Rule In New Security Flaw
>
> Hi Dave,
>
> FYI ...
>
> http://www.newsbytes.com/news/02/173439.html
>
> Microsoft Breaks Netscape Rule In New Security Flaw
> REDMOND, WASHINGTON, U.S.A.,
> 07 Jan 2002, 11:39 AM CST
>
>  The failure of Microsoft [NASDAQ:MSFT] to abide by a well-known browser 
> security rule has resulted in a "severe" flaw in the company's Internet 
> Explorer browser, according to security experts.
>
> The security bug, which affects all current versions of Internet Explorer 
> for Windows, including IE 5.5 and IE 6, provides attackers with a grab-bag 
> of techniques for stealing other users' browser cookies, reading some 
> files on their hard disks, and "spoofing" the content of legitimate sites, 
> according to ThePull, an independent security researcher who discovered 
> the vulnerability.
>
> An advisory describing the flaw, along with hyperlinks to demonstration 
> exploits, was posted by ThePull on SecurityFocus' Bugtraq mailing list and 
> mailed to Microsoft on Dec. 19.
>
> Microsoft officials were not immediately available for comment.
>
> In its own description of the vulnerability, SecurityFocus, a security 
> information and consulting firm, said Microsoft violated a basic security 
> rule known as the "same origin policy." The rule was outlined four years 
> ago in a JavaScript security guide authored by Netscape Communications.
>
> According to the 1997 Netscape guide, which was cited in a 2000 advisory 
> from the Computer Emergency Response Team (CERT), JavaScript code 
> executing in the context of one Web site should not be able to access the 
> properties of another.
>
> [snip]

For archives see:
http://www.interesting-people.org/archives/interesting-people/