[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IE 3.0 Warning - TS system snooping ?



PureBytes Links

Trading Reference Links

WARNING 

This web site puts a security alert on your computer.  Do not go there
unless you want your browser to have a "security alert' appear each time
you open it.  

----------
> From: Gerrit Jacobsen <gerrit.jacobsen@xxxxxxxxxxxxxxxxxx>
> To: omega-list@xxxxxxxxxx
> Subject: IE 3.0 Warning - TS system snooping ?
> Date: Monday, March 02, 1998 6:16 AM
> 
> Bob Brickey has published this very valuable warning regarding the 
> IE 3.0.
> 
> Anyone who wants to check further on this and other security 
> subjects should have a look at
> 
> http://www.digicrime.com/
> 
> Have fun and suspense. (not for the faint hearted)
> 
> Gerrit Jacobsen
> 
> 
> 
> > First, It's important to distinguish between Java
> > applications and applets.  Both wirtten in Java,
> > applets are compiled bytecode files residing on the
> > host machine which are d/l'd and executed within the
> > Browsers environment.  This is done by the ClassLoader
> > puting the bytecode into memory and then being verified
> > so as not to violate security restrictions. Some of those
> > restrictions are the inability to read/write to the local
> > filesystem.  Java applications, OTOH, have the potential
> > to do more harm because there is some level of trust 
> > assumed between the remote host and the local host. RMI,
> > remote method invocation, does what it suggests.
> >  Look, i'm not trying to start an out-of-context
> > thread in this list, and i'm sure that there are devious
> > little madhackers chipping away at potential loopholes in
> > the Java Spec. But the fact is that it's going to take more
> > than a malicious webmaster to mung up your machine.
> >  Java applets running in a browser that don't prompt
> > you for any input or send anything back to the remote host
> > are harmless. perod. If you're not comfortable with that, you can
> > disable it. just my .02 lantern@xxxxxxxxx
> > 
> > 
> > 
> > On Tue, 24 Feb 1998, Jim Lovejoy wrote:
> > 
> > > Thanks for the warning!  I personally use IE4.0 without Active
> > > Desktop and have not had one problem with it yet on Win95 OSR2.
> > > 
> > > Question...
> > > 
> > > It was my understanding that Javascript (being a scripting
> > > language) is not dangerous.  Mainly because it is embedded in html
> > > and not a downloading executable.  Is this true?
> > > 
> > > On the other hand Java applets (small executable programs) have
> > > the potential to damage but no one has figured out away yet.  This
> > > is because Java was not designed to machine level like C or CGI. 
> > > Is this true?
> > > 
> > > Just want to make sure my facts are right.
> > > 
> > > Jim Lovejoy
> > > fastgroup@xxxxxxxxxx
> > >       Pain is inevitable...     Misery is optional.
> > >                                                    -Unknown
> > > 
> > > -----Original Message-----
> > > From: Scientific Approaches <sci@xxxxxxxxxx>
> > > To: Omega Mailing List <omega-list@xxxxxxxxxxxxxxx>
> > > Date: Tuesday, February 24, 1998 2:37 PM
> > > Subject: Internet Explorer 3.0 Warning
> > > 
> > > 
> > > >This doesn't have anything to do directly with trading, but
> > > >almost everyone on this list uses web browers, so you may find it
> > > >interesting.
> > > >
> > > >Hoaxes about how email viruses can damage your computer and other
> > > >such things are prevalent on the Internet.  Almost all such
> > > >stories are total nonsense.
> > > >
> > > >However, there is a significant risk you should be aware of. 
> > > >Microsoft Internet Explorer Version 3.0 has a major security hole
> > > >that allows any webmaster to take control of your Windows desktop
> > > >- including accessing any confidential files on your computer. 
> > > >Webmasters can do almost anything you can do sitting at your
> > > >computer.  They can upload files, download files, search and
> > > >replace text in files, delete files, and run programs.  They can
> > > >leave software that will give them repeated access each time you
> > > >log back
> > > on
> > > >the Internet in the future.
> > > >
> > > >The problem was a major embarrassment to Microsoft.  Microsoft
> > > >released Version 3.01 to fix the problem, but within hours a
> > > >teenager in California circumvented their fix and published a
> > > >work-around on the web.  Microsoft then released Version 3.02 to
> > > >block his work-around.
> > > >
> > > >If you are using MSIE 3.0, seriously consider updating either to
> > > >3.02 (a small update) or to 4.x (a major upgrade, and one I don't
> > > >recommend if you are using Win95 or WinNT).  Another option is to
> > > >switch to a Netscape browser (my personal preference).  You can
> > > >obtain free Microsoft browsers from:
> > > >
> > > >  http://www.microsoft.com/
> > > >
> > > >and free Netscape browsers from:
> > > >
> > > >  http://www.netscape.com/
> > > >
> > > >However, you should know that all HTML 4.0 compliant browsers,
> > > >including recent versions of both Microsoft and Netscape
> > > >browsers, expose your computer to malicious damage, because they
> > > >support the automatic
> > > downloading
> > > >and execution of small computer programs, called applets, that
> > > >add pizzazz to many web sites.  Simple applet programs do such
> > > >things as change the color of a button when the mouse cursor
> > > >moves over it or display a message in the status bar to give web
> > > >site visitors more information about a link. They can make web
> > > >pages bounce, shimmy, sing and gyrate.  They also are commonly
> > > >used to do such things as validate forms before visitors submit
> > > >them and to produce sophisticated graphics animation.  They
> > > >provide the means to do lots of "neat" things, but they also
> > > >provide the means to automatically download and execute programs
> > > >you won't even know about that can damage your computer.
> > > >
> > > >Restrictions have been imposed on what automatically downloaded
> > > >applets can do, but they can be circumvented by knowledgeable
> > > >programmers.  You can protect yourself from that risk by
> > > >switching off applet support in your browser setup options.  The
> > > >terminology is different in different browsers. Look for
> > > >JavaScript, Jscript, Java Applet, VB, or ActiveX support.  You
> > > >may not want to do that if you like the gimmicks on leading-edge
> > > >web sites, but it eliminates the risk of potentially nasty
> > > >consequences.
> > > >
> > > >  -Bob Brickey
> > > >   Scientific Approaches
> > > >   sci@xxxxxxxxxx
> > > >
> > > 
> > 
> >