1997-11-01 - [NTSEC] New browser security hole (fwd)

Header Data

From: Ryan Anderson <ryan@michonline.com>
To: “Those that appreciate humor..”: ;
Message Hash: 98467f37a4f484ba6577a9ab3a763caf4cfd57947c290cb954dba7191ae56d5f
Message ID: <Pine.GSO.3.95.971031190142.20665B-100000@king>
Reply To: N/A
UTC Datetime: 1997-11-01 00:22:59 UTC
Raw Date: Sat, 1 Nov 1997 08:22:59 +0800

Raw message

From: Ryan Anderson <ryan@michonline.com>
Date: Sat, 1 Nov 1997 08:22:59 +0800
To: "Those that appreciate humor..":  ;
Subject: [NTSEC] New browser security hole (fwd)
Message-ID: <Pine.GSO.3.95.971031190142.20665B-100000@king>
MIME-Version: 1.0
Content-Type: text/plain





In the interests of furthering the virus alerts we've seen today, I offer
this, from: http://www.browse.net/techfelch/

--------------------------------------------------------------------------

The Internet Engineering Taskforce (IETF) today
announced they had discovered a "far-reaching and
fundamental" security flaw in many of the web browsers
currently available, including the new 4.0 versions of
Netscape's and Microsoft's flagship browser products. 

"This loophole could seriously compromise the integrity
of user data, if exploited by an unscrupulous webmaster."
said Bill Robinson, a consultant and advisor to the IETF.
The details of the possible attack were announced in the
usual way in usenet newsgroups by the IETF.  The
bulletin states that "any browser that displays HTML
pages" may be vulnerable to the loophole.  "An
unscrupulous webmaster may exploit this loophole by
placing a message on any HTML page which instructs the
user to format their system's hard disk." says the
announcement.

Robinson stated that the code preys on users that don't
take strict security precautions, and that have trouble
breathing with their mouths closed.

   +----------------------------------------------+
   |  <HTML>                                      |
   |  <BODY>                                      |
   |  <H1>IMPORTANT!</H1>                         |
   |  <P>Format your hard disk immediately</P>    |
   |  </BODY>                                     |
   |  </HTML>                                     |
   +----------------------------------------------+
     One possible version of the 'rogue' code

The IETF recommended that Netscape users tick the
"Disable Java" option in the Netscape preferences dialog. 
"It won't do a damn bit of good," said Robinson, "but it's
about the only piece of Netscape user interface that you
can use without causing the damn thing to crash and burn,
so what the hell - it gives them something to do."

Microsoft claimed they would have a fix for MSIE
available within 48 Microsoft hours.

Linux users remain unaffected by the security threat as
they don't have any data anyone gives a toss about
anyway.







Thread