[NTSEC] New browser security hole (fwd)

Ryan Anderson ryan at michonline.com
Fri Oct 31 16:22:59 PST 1997 




In the interests of furthering the virus alerts we've seen today, I offer
this, from: http://www.browse.net/techfelch/

--------------------------------------------------------------------------

The Internet Engineering Taskforce (IETF) today
announced they had discovered a "far-reaching and
fundamental" security flaw in many of the web browsers
currently available, including the new 4.0 versions of
Netscape's and Microsoft's flagship browser products. 

"This loophole could seriously compromise the integrity
of user data, if exploited by an unscrupulous webmaster."
said Bill Robinson, a consultant and advisor to the IETF.
The details of the possible attack were announced in the
usual way in usenet newsgroups by the IETF.  The
bulletin states that "any browser that displays HTML
pages" may be vulnerable to the loophole.  "An
unscrupulous webmaster may exploit this loophole by
placing a message on any HTML page which instructs the
user to format their system's hard disk." says the
announcement.

Robinson stated that the code preys on users that don't
take strict security precautions, and that have trouble
breathing with their mouths closed.

   +----------------------------------------------+
   |  <HTML>                                      |
   |  <BODY>                                      |
   |  <H1>IMPORTANT!</H1>                         |
   |  <P>Format your hard disk immediately</P>    |
   |  </BODY>                                     |
   |  </HTML>                                     |
   +----------------------------------------------+
     One possible version of the 'rogue' code

The IETF recommended that Netscape users tick the
"Disable Java" option in the Netscape preferences dialog. 
"It won't do a damn bit of good," said Robinson, "but it's
about the only piece of Netscape user interface that you
can use without causing the damn thing to crash and burn,
so what the hell - it gives them something to do."

Microsoft claimed they would have a fix for MSIE
available within 48 Microsoft hours.

Linux users remain unaffected by the security threat as
they don't have any data anyone gives a toss about
anyway.

More information about the cypherpunks-legacy mailing list