[JA] FYI
- From: Babette C Bloch <bvcb@xxxxxxxx>
- To: juno_accmail@xxxxxxxxxxxxxxxxx
- Date: Sun, 11 Nov 2001 08:59:27 -0800
This was in the Tourbus Newsletter, to which I subscribe, and may be of
interest to others.
--------------------
Cookie Security Hole
--------------------
Okay. I give up. For about six years I have told everyone that there
isn't much to fear about cookies, information that Web sites put on
your hard drive so that the sites can remember something about you at
a later time. According to SearchSecurity.com,
Cookies are commonly used to rotate the banner ads that a site
sends so that it doesn't keep sending the same ad as it sends you
a succession of requested pages. They can also be used to
customize pages for you based on your browser type or other
information you may have provided the Web site. Web users must
agree to let cookies be saved for them, but, in general, it helps
Web sites to serve users better.
You can read SearchSecurity.com's complete cookie definition at
<A
HREF="http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211838
,00.html">
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211838,00.ht
ml
</A>.
Cookies sound pretty innocuous, don't they?
Well, our friends at Microsoft announced on Wednesday that
A vulnerability exists because it is possible to craft a URL that
can allow sites to gain unauthorized access to user's cookies and
potentially modify the values contained in them. Because some
web sites store sensitive information in a user's cookies, it is
also possible that personal information could be exposed.
In other words, if you use a Web site that requires a userid and a
password -- like an online bank, an online stock broker, a Web-based
email program, and so on -- and that userid and password is stored on
your computer in the form of a cookie, it is conceivable that some
nefarious bozo could access that cookie on your hard drive and then
wreak all sorts of havoc. Not good.
From what I can gather,
1. This cookie vulnerability exists in Internet Explorer 5.5 and
6.0, and possibly in earlier versions of Internet Explorer as
well.
2. I *THINK* this vulnerability only affects Windows users who
also use Internet Explorer -- in other words, it does *NOT*
affect Mac or Linux users, or PC users who use Netscape
instead of IE -- but I am not certain.
3. Microsoft doesn't have a patch for this vulnerability yet, but
they are working on it. [I'll give you the URL and
installation directions for the patch in an upcoming TOURBUS
post.]
4. There is a pretty simple way for you to protect your computer
from this vulnerability: temporarily disable active scripting
in Internet Explorer 5.5 or 6.0 until the patch is available.
How do you disable active scripting in Internet Explorer 5.5 and 6.0?
Easy!
1. Launch Internet Explorer.
2. Go to Tools --> Internet Options.
3. Click on the "Security" tab.
4. Click on the "Custom Level..." button.
5. Scroll down to the "Scripting" section (the section's icon is
a scroll in the shape of the letter "S").
6. Under "Active Scripting," choose "Disable."
7. Under "Scripting of Java applets," also choose "Disable."
8. Click on the "OK" button.
9. Click on the "OK" button again.
That should do it.
By the way, if you want to read Microsoft's complete "Cookie Data in
IE Can Be Exposed or Altered Through Script Injection" security
bulletin, check out
<A
HREF="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/
security/bulletin/MS01-055.asp">
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/securi
ty/bulletin/MS01-055.asp
</A>.
=====================[ Tourbus Rider Information ]===================
The Internet Tourbus - U.S. Library of Congress ISSN #1094-2238
Copyright 1995-2001, Crispen & Rankin - All rights reserved
Help the hungry, poor and sick - for free! http://FreeDonation.com
Subscribe, Signoff, Archives, Free Stuff and More at the
Tourbus Website - http://www.TOURBUS.com
====
To unsubscribe, send a message to listar@xxxxxxxxxxxxxxxxx with
"unsubscribe juno_accmail" in the body or subject.
OR visit http://freelists.dhs.org
~*~
Other related posts:
