[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IE 3.0 Warning - TS system snooping ?



PureBytes Links

Trading Reference Links

Bob Brickey has published this very valuable warning regarding the 
IE 3.0.

Anyone who wants to check further on this and other security 
subjects should have a look at

http://www.digicrime.com/

Have fun and suspense. (not for the faint hearted)

Gerrit Jacobsen



> First, It's important to distinguish between Java
> applications and applets.  Both wirtten in Java,
> applets are compiled bytecode files residing on the
> host machine which are d/l'd and executed within the
> Browsers environment.  This is done by the ClassLoader
> puting the bytecode into memory and then being verified
> so as not to violate security restrictions. Some of those
> restrictions are the inability to read/write to the local
> filesystem.  Java applications, OTOH, have the potential
> to do more harm because there is some level of trust 
> assumed between the remote host and the local host. RMI,
> remote method invocation, does what it suggests.
>  Look, i'm not trying to start an out-of-context
> thread in this list, and i'm sure that there are devious
> little madhackers chipping away at potential loopholes in
> the Java Spec. But the fact is that it's going to take more
> than a malicious webmaster to mung up your machine.
>  Java applets running in a browser that don't prompt
> you for any input or send anything back to the remote host
> are harmless. perod. If you're not comfortable with that, you can
> disable it. just my .02 lantern@xxxxxxxxx
> 
> 
> 
> On Tue, 24 Feb 1998, Jim Lovejoy wrote:
> 
> > Thanks for the warning!  I personally use IE4.0 without Active
> > Desktop and have not had one problem with it yet on Win95 OSR2.
> > 
> > Question...
> > 
> > It was my understanding that Javascript (being a scripting
> > language) is not dangerous.  Mainly because it is embedded in html
> > and not a downloading executable.  Is this true?
> > 
> > On the other hand Java applets (small executable programs) have
> > the potential to damage but no one has figured out away yet.  This
> > is because Java was not designed to machine level like C or CGI. 
> > Is this true?
> > 
> > Just want to make sure my facts are right.
> > 
> > Jim Lovejoy
> > fastgroup@xxxxxxxxxx
> >       Pain is inevitable...     Misery is optional.
> >                                                    -Unknown
> > 
> > -----Original Message-----
> > From: Scientific Approaches <sci@xxxxxxxxxx>
> > To: Omega Mailing List <omega-list@xxxxxxxxxxxxxxx>
> > Date: Tuesday, February 24, 1998 2:37 PM
> > Subject: Internet Explorer 3.0 Warning
> > 
> > 
> > >This doesn't have anything to do directly with trading, but
> > >almost everyone on this list uses web browers, so you may find it
> > >interesting.
> > >
> > >Hoaxes about how email viruses can damage your computer and other
> > >such things are prevalent on the Internet.  Almost all such
> > >stories are total nonsense.
> > >
> > >However, there is a significant risk you should be aware of. 
> > >Microsoft Internet Explorer Version 3.0 has a major security hole
> > >that allows any webmaster to take control of your Windows desktop
> > >- including accessing any confidential files on your computer. 
> > >Webmasters can do almost anything you can do sitting at your
> > >computer.  They can upload files, download files, search and
> > >replace text in files, delete files, and run programs.  They can
> > >leave software that will give them repeated access each time you
> > >log back
> > on
> > >the Internet in the future.
> > >
> > >The problem was a major embarrassment to Microsoft.  Microsoft
> > >released Version 3.01 to fix the problem, but within hours a
> > >teenager in California circumvented their fix and published a
> > >work-around on the web.  Microsoft then released Version 3.02 to
> > >block his work-around.
> > >
> > >If you are using MSIE 3.0, seriously consider updating either to
> > >3.02 (a small update) or to 4.x (a major upgrade, and one I don't
> > >recommend if you are using Win95 or WinNT).  Another option is to
> > >switch to a Netscape browser (my personal preference).  You can
> > >obtain free Microsoft browsers from:
> > >
> > >  http://www.microsoft.com/
> > >
> > >and free Netscape browsers from:
> > >
> > >  http://www.netscape.com/
> > >
> > >However, you should know that all HTML 4.0 compliant browsers,
> > >including recent versions of both Microsoft and Netscape
> > >browsers, expose your computer to malicious damage, because they
> > >support the automatic
> > downloading
> > >and execution of small computer programs, called applets, that
> > >add pizzazz to many web sites.  Simple applet programs do such
> > >things as change the color of a button when the mouse cursor
> > >moves over it or display a message in the status bar to give web
> > >site visitors more information about a link. They can make web
> > >pages bounce, shimmy, sing and gyrate.  They also are commonly
> > >used to do such things as validate forms before visitors submit
> > >them and to produce sophisticated graphics animation.  They
> > >provide the means to do lots of "neat" things, but they also
> > >provide the means to automatically download and execute programs
> > >you won't even know about that can damage your computer.
> > >
> > >Restrictions have been imposed on what automatically downloaded
> > >applets can do, but they can be circumvented by knowledgeable
> > >programmers.  You can protect yourself from that risk by
> > >switching off applet support in your browser setup options.  The
> > >terminology is different in different browsers. Look for
> > >JavaScript, Jscript, Java Applet, VB, or ActiveX support.  You
> > >may not want to do that if you like the gimmicks on leading-edge
> > >web sites, but it eliminates the risk of potentially nasty
> > >consequences.
> > >
> > >  -Bob Brickey
> > >   Scientific Approaches
> > >   sci@xxxxxxxxxx
> > >
> > 
> 
>