- From: Robert Neff <rcn@fenix2.dol-esa.gov>
- Date: Wed, 14 Oct 1998 08:04:55 -0400
- To: "'w3c-wai-ig@w3.org'" <w3c-wai-ig@w3.org>
Guard your privacy from Cache Cow and the Cuartango Hole
Dan Brumleve wrote with word of a new vulnerability he had discov-ered in
all versions of Netscape Navigator. (Internet Explorer is immune.) See the
exploit page [10]. The exploit, which Brumleve calls Cache-Cow, captures
the entire browsing history of the victim's copy of Navigator, including
all form data that has ever been sent via the GET method-including any
passwords. The exploit uses Java-Script to compromise all versions of
Navigator prior to 4.06; a slightly reworked version of the CGI script [11]
fells 4.06 as well.
According to one security researcher, the same vulnerability can be
exploited via email. This means your browser cache could be stolen if you
simply read an email message.
Netscape acknowledged the Cache-Cow vulnerability [12] and released version
4.07 of Navigator and Communicator to fix it. Five days later Brumleve
posted Son-of-Cache-Cow [13] (Cache-Calf?). It steals the cache off of 4.07
in exactly the same way. Netscape has acknow-ledged [14] this one too,
calling it the Injection Bug. Unlike the earlier acknowledgement [12], this
one does not mention Brumleve by name. Perhaps they're getting annoyed with
him.
A more serious security threat affecting Internet Explorer 4.01 was
discovered by Web developer Juan Carlos Garcia Cuartango. Using the
Cuartango Hole [15], an attacker can steal any file off your disk for which
the name and location are known or can be guessed. Here is the discoverer's
exploit page [16]. Microsoft has confirmed the problem and is working on a
fix, Wired reports [17], but I couldn't find any mention of Cuartango on
Microsoft's security site [18].
[10] http://www.shout.net/~nothing/cache-cow/
[11] http://www.shout.net/nothing/view-cache-cow-4.06.cgi
[12]
http://home.netscape.com/products/security/resources/bugs/brumlevecache.
html
[13] http://www.shout.net/~nothing/son-of-cache-cow/index.html
[14] http://home.netscape.com/products/security/resources/bugs/injection
.html
[15] http://www.wired.com/news/news/technology/story/15530.html
[16] http://pages.whowhere.com/computers/cuartangojc/cuartangoh1.html
[17] http://www.wired.com/news/news/technology/story/15459.html
[18] http://www.microsoft.com/security/
________________
..Microsoft patches "Cross-Frame" security hole
Fixing a problem before we knew there was one
Eric Scheid forwarded this tidbit from the TidBITS newsletter. In-ternet
Explorer versions 3.x and 4.x on Windows and Macintosh is susceptible to
what Microsoft is calling the Cross-Frame Security Bug [19]. In all cases
the supplied patch works on 4.01 versions of the browser; users of earlier
versions are advised to upgrade and then to download the patch. The bug
would allow an attacker to access files on local disks [20]. Under Windows,
any program that uses the IE HTML engine (such as Quicken and Eudora) would
also be vulnerable until the IE patch was applied.
[19] http://www.microsoft.com/ie/security/?/ie/security/xframe.htm
[20] http://www.microsoft.com/ie/security/xframe-details.htm
________________
..Access to government cookies denied
Received on Wednesday, 14 October 1998 08:05:04 UTC