Time: Sat Oct 18 07:46:58 1997
	by primenet.com (8.8.5/8.8.5) with ESMTP id HAA29457;
	Sat, 18 Oct 1997 07:44:26 -0700 (MST)
	by smtp03.primenet.com (8.8.7/8.8.7) id HAA21825;
	Sat, 18 Oct 1997 07:42:57 -0700 (MST)
 via SMTP by smtp03.primenet.com, id smtpd021813; Sat Oct 18 07:42:53 1997
Date: Sat, 18 Oct 1997 07:43:34 -0700
To: (Recipient list suppressed)
From: Paul Andrew Mitchell [address in tool bar]
Subject: SLS: IE 4.0 browser fails as secure communications platform

>"Published: Oct. 16, 1997
> Mercury News Staff Writer 
> German computer researchers reported Thursday they have found a 
>security problem with Microsoft Corp.'s new Web browsing software, 
>Internet Explorer 4.0, that could make innocent browser users 
>vulnerable to snoops.
> The security hole allows an outsider to read files on a computer 
>equipped with IE 4.0 -- as well as certain computers linked to it -- 
>provided the name and location of the files is known to the outsider.
> Microsoft executives say they are aware of the problem and are 
>creating a fix for it, but do not consider the flaw serious. Data 
>cannot be destroyed or altered through the flaw, which would typically 
>be exploited by a malevolent Web site developer who built a Web page 
>designed to vacuum up data from anyone who visited the page.
> Microsoft engineers also note the hole can only be used to read text 
>files, graphics files, or HTML files used with Web pages, but not 
>files stored as ``pdf'' files, for example.
> But some security experts say the problem is severe because many 
>software programs use the same file names and locations on every 
>computer where they're installed unless the user changes them.
> Moreover, a Web site that exploits the flaw can bypass traditional 
>network security, such as firewalls, and make copies of data, not just 
>only on the user's machine, but on other machines linked to that 
>machine, such as on a corporate network.
> The patch for the hole should be available Friday from Microsoft's 
>Web site, according to Dave Fester, group product manager for IE 4.0.
> Ralf Hueskes, a computer consultant with Jabadoo Communications in 
>Germany discovered the problem while evaluating IE 4.0 for c't, a 
>respected German computer magazine published every other week.
> The hole is strikingly similar in its effect to a security problem 
>found last summer in versions of Mountain View-based Netscape 
>Communication's Corp.'s Web browser by a Danish hacker, but the 
>underlying flaws are very different.
> The IE 4.0 problem is related to Microsoft's version of Dynamic HTML, 
>used to develop Web pages that include things like animation.
> Like Internet Explorer 4.0, Netscape's browser enables users to read 
>Web pages developed with Dynamic HTML. But Hueskes says he can't find 
>the problem in Netscape's latest Web browsers, possibly because the 
>two implement the technology in slightly different ways.
> IE 4.0, like Netscape's new browser, allows users to set different 
>levels of browser security, from ``low'' to ``high.'' But setting 
>security levels to their highest level won't plug this hole, according 
>to Hueskes. ``The security settings have no impact,'' he said in a 
>telephone interview.
> Microsoft executives say those security features can indeed protect 
>users by setting up specific ``security zones'' that prevent malicious 
>activity in certain circumstances.
> Until a patch is released, users who are concerned can protect 
>themselves by disabling or restricting a function on IE 4.0 called 
>``Active Scripting.'' To disable it, click on the ``View'' item in the 
>menu, then ``Internet Options,'' then ``Security,'' then ``Custom,'' 
>then the ``Settings'' button. Look for the ``Scripting''
> line and click ``Disable'' under ``Active Scripting.''
> With ``Active Scripting'' disabled, users may find that a few Web 
>sites no longer work properly, but the feature can easily be turned 
>back on.
> Instead of disabling scripting entirely, Microsoft recommends a 
>process that lets users declare some sites as always safe, or 
>``trusted,'' while keeping their guard up for others. Microsoft 
>engineers suggest telling the IE 4.0 software to ask the
> user if scripting is okay whenever encountering a Web site where 
>scripting is in use. This Web-site screening process can be activated 
>by clicking on ``Prompt'' rather than ``Disable,'' then following 
>instructions to set up different security zones under ``Internet 
>Options.'' "

Paul Andrew Mitchell, Sui Juris      : Counselor at Law, federal witness 01
B.A.: Political Science, UCLA;   M.S.: Public Administration, U.C.Irvine 02
tel:     (520) 320-1514: machine; fax: (520) 320-1256: 24-hour/day-night 03
email:   [address in tool bar]       : using Eudora Pro 3.0.3 on 586 CPU 04
website: http://supremelaw.com       : visit the Supreme Law Library now 05
ship to: c/o 2509 N. Campbell, #1776 : this is free speech,  at its best 06
             Tucson, Arizona state   : state zone,  not the federal zone 07
             Postal Zone 85719/tdc   : USPS delays first class  w/o this 08
_____________________________________: Law is authority in written words 09
As agents of the Most High, we came here to establish justice.  We shall 10
not leave, until our mission is accomplished and justice reigns eternal. 11
======================================================================== 12
[This text formatted on-screen in Courier 11, non-proportional spacing.] 13


Return to Table of Contents for

Supreme Law School:   E-mail