荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: jjksam (~随缘~ (我要专心学习)), 信区: Security
标 题: Cookie Flaw Leaves IE Users Vulnerable to Attacks
发信站: 荔园晨风BBS站 (Sat Nov 10 10:16:43 2001), 转信
url: http://www.eweek.com/article/0,3658,s%253D701%2526a%253D18121,00.asp
November 9, 2001
Cookie Flaw Leaves IE Users Vulnerable to Attacks
By Dennis Fisher
A newly discovered flaw in the way that Internet Explorer handles Web site
cookies could enable an attacker to view and edit a user's personal data
contained in the cookies.
ADVERTISEMENT
The vulnerability affects all versions of IE, but is mitigated by several
factors, according to a bulletin released Thursday by Microsoft Corp.
Under normal operation, Web sites are only able to access the cookies for
their site on a given user's machine. By crafting a URL with specific
contents, an attacker could gain access to cookies for other sites and edit
the contents of the files by injecting a script.
Many sites store personally identifiable information in their cookies.
However, to execute the attack, the victim must either visit a Web page or
open an e-mail containing the malicious URL. Still, Microsoft has given the
vulnerability a "high" severity rating for all affected systems.
The Redmond, Wash., company does not yet have a patch available but said
that disabling active scripting will prevent the problem. Also, users who have
either applied the Outlook E-mail Security Update or have set Outlook Express
to use the Restricted Sites Zone are not vulnerable to the HTML mail
portion of the attack.
Also on Thursday, Microsoft issued a warning that the patch it issued last
week to fix a denial-of-service vulnerability in the Universal Plug and Play
component in Windows ME contained a regression error that causes affected
machines to become erratic and hangs some applications.
Similar patches for Windows 98 and Windows XP are unaffected. Microsoft has
removed the Windows ME patch from its Web site and is working on an updated
patch.
This is the second time in less than three weeks that Microsoft has had to
retract a patch because of a regression error. In late October the company had
a similar problem with a patch to repair a vulnerability in the terminal
services component of Windows 2000. Instead of fixing the flaw, the patch
prevented the service from working at all.
--
mm ☆__ __ __ __☆______ ______ __ __☆
/^( )^\ █ █ █/ █____ █__█ █∨█
\,(..),/ ▅__█ ▅__█ █\__ ▂__█ █ █ █ █
V~~V ▇▆▅▃▁I'm a bat. I'm very bad!^Q^_▃▄▆▇你好!^_^欢迎大家到linux?
※ 来源:·荔园晨风BBS站 bbs.szu.edu.cn·[FROM: 192.168.0.146]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店