1997-10-02 - Possible Security Hole in Internet Explorer 4.0

Header Data

From: Martin Minow <minow@apple.com>
To: risks@csl.sri.com
Message Hash: d95f96b93729ad82dc3093a2eb3d294291e61efaacdaaf1e6abd65144add6a5d
Message ID: <v03102804b0599ac5ba6e@[17.219.103.39]>
Reply To: N/A
UTC Datetime: 1997-10-02 19:44:25 UTC
Raw Date: Fri, 3 Oct 1997 03:44:25 +0800

Raw message

From: Martin Minow <minow@apple.com>
Date: Fri, 3 Oct 1997 03:44:25 +0800
To: risks@csl.sri.com
Subject: Possible Security Hole in Internet Explorer 4.0
Message-ID: <v03102804b0599ac5ba6e@[17.219.103.39]>
MIME-Version: 1.0
Content-Type: text/plain



>From a message in MacOSRumors <http://rumors.netexpress.net/> (I have
not independently verified this)

--- Begin quote ---

Internet Explorer 4.0 ships with major security hole....

With the Microsoft Internet Explorer 4.0 for Windows release only hours
old, users have already discovered a major security hole that smacks
painfully of Big Brother:

Most folks will remember the Netscape java bug that allowed you to snoop on
what people where visiting. Well IE4.0 goes a bit further than this -
Logging of your actions, even when you would otherwise be shielded by
proxies is BUILT-IN.

The channel definition format (.CDF)
http://www.microsoft.com/standards/cdf-f.htm
includes a LOGTARGET feature that allows a web site provider to make your
browser deliver logs of your usage via an http post or put. Even hits from
cache are logged. This is all not so good and getting worse. Not only is
the information posted material, you wouldn't want to give to a provider,
(considering) "http post/put" is normally spoofable anyway.

Unanswered question for next time - or for folks with more time than me to
follow up Can you put other sites in your channel definition and get logs
of when they read your competitor's site (with this system)?

Definitely not confidence-inspiring. It appears the Mac version is affected
by this same problem, as well...and neither platform has any means of
disabling this "feature" at present.

---
[Internet Explorer 4.0 has not yet been released for the Macintosh platform.]

Martin Minow minow@apple.com







Thread