Results 1 to 5 of 5

Thread: Internet Explorer Exposes Sensitive Information

  1. #1
    Senior Member
    Join Date
    Mar 2003
    Posts
    117

    Internet Explorer Exposes Sensitive Information

    Ok so the subject line aint nothing new... But this Advisory is.

    Release Date: 2003-06-06

    Critical: Moderately critical
    Impact: Exposure of sensitive information
    Where: From remote

    Software: Microsoft Internet Explorer 6


    Description:
    A vulnerability has been identified in Internet Explorer, which exposes sensitive information to "msn.com" and "alexa.com".

    While this is a known "feature" when the "Show Related Links" option is activated in Internet Explorer, there is a bug, so that Internet Explorer will keep transmitting the information to "msn.com" and "alexa.com" after "Show Related Links" has been de-activated. This occurs whenever "Ctrl+R" is used to reload a page.

    To make matters worse, it has been confirmed that this behaviour also affects SSL enabled pages. One thing is that Microsoft has chosen to make a "feature", which reveals this information to "msn.com" and "alexa.com", but the fact that information, which was supposed to be protected by SSL and sent only to one site, is sent in plain text to a third party ("msn.com" and "alexa.com") is of great concern.

    The data transmitted to "msn.com" and "alexa.com" is the complete URL. In some cases this could contain sensitive information such as username, password, session id, search string, "secret paths", and more.

    The vulnerability has been confirmed for Internet Explorer 6 on Windows 2000 and Windows XP with all Service Packs and hotfixes.

    It is Microsoft that controls who else than "msn.com" should receive this information. Microsoft could at any time choose to send this information to another party than "alexa.com".
    Whole Advisory can be found at Secunia: http://www.secunia.com/advisories/8955/

    See, what I put in bold here really disturbs me quz my Banks online services has a number of juicy stuff sitting in the URL

    Further more, Is this the same Alexa app that is picked up by Ad-aware? If so what have that to do with MS?
    .sig - There never was a .sig?
    I own a Schneider EuroPC with MS-Dos 3.3 and it works.

  2. #2
    @ÞΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    Location
    St. Petersburg, FL
    Posts
    1,705
    Damn. Thanks for the info.
    Real security doesn't come with an installer.

  3. #3
    Viggie, because of you, I now love Microsoft even more. YEAY!
    LOL
    Thanks though
    \"Great spirits always encounter strong opposition from mediocre minds.\"
    Albert Einstein

  4. #4
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    That is why I use FireBird. You should try it out.
    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  5. #5
    Senior Member
    Join Date
    Mar 2003
    Posts
    117
    cgkanchi: I do also use Firebird, have used it since 0.2 The only problem is that my Banks online services require IE
    Firebird is an outstanding App, it still has some bugs but every new beta release of it makes me cream my pants.
    .sig - There never was a .sig?
    I own a Schneider EuroPC with MS-Dos 3.3 and it works.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •