InfoWorld
Lead with Knowledge
HOME/ SITEMAP
SUBJECT INDEXES
App Development
Broadband
Business Intell.
Business News
Business Strategies
Careers & Mgmt
Collab. Software
Content Mgmt
CRM
Database
E-Business
End-User Apps
End-User Hardware
Enterprise Apps
Ethics
Government
Licensing
Middleware
Mobile Computing
Networking
Online Community
Operating Systems
Processors
Security
Servers
Storage
Telecomm.
Web Services
Web Technologies
Wireless
XSPs
NEWS
CTO ZONE
TEST CENTER
FEATURES
COMMUNITY
OPINIONS
RESEARCH
EVENT
WEBCASTS
ABOUT InfoWorld
ABOUT US
About InfoWorld
Services
Advertise
Contact us
Employment
WHITE PAPERS

Learn to secure your PCs from new and unknown hacker attacks.

Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.
SEARCH:  
Home  //  Article
Print Article    Email Article
Window Manager
Brian Livingston
More flaws in Internet Explorer and Outlook: Now you can receive e-mails that read you

A FLAW THAT'S BEEN newly discovered in Microsoft's Internet Explorer 4 and 5 allows almost any Web site you visit to read all the files on your hard disk. And, because recent versions of Outlook and Outlook Express use IE's code base to display complex e-mail messages, even an e-mail you receive can read all about you. No attachment is required.

This new problem was found by Georgi Guninski, who's made something of a sport of exposing Microsoft weaknesses.

Guninski has even created a Web page that demonstrates the problem. It merrily lists all the file names in the root of your C: drive.

But don't go to this Web site until you use Microsoft's patch (see below) or take the following steps to prevent other Web sites from viewing your files.

My thanks go to Steve Fallin of WatchGuard Technologies (www.watchguard.com) for his work-around:

Step 1. In Internet Explorer, pull down the Tools menu, and then click Internet Options.

Step 2. Click the Security tab.

Step 3. Select the Internet icon, and then click Custom Level.

Step 4. Scroll down to Microsoft VM/Java Permissions, and then click Custom.

Step 5. Click the Java Permissions Settings button.

Step 6. Click the Edit Permissions tab.

Step 7. Change the radio button under Run Unsigned Content to Disable. Change Signed Content to Prompt.

Step 8. Click the Reset button.

Step 9. Click OK or Yes all the way out to save your changes.

These steps will disable Java applets and plug-ins from "unsigned" (anonymous) Web sources. If the creator has "signed" the applet, you will see a prompt asking you to accept (if you really trust the source) or reject.

If you've made the changes outlined above, you're ready to visit Guninski's site and see how easily a mere Web page or e-mail can read your entire hard drive. Go to www.guninski.com/javacodebase1-desc.html. This text page links to the actual demonstration.

In my tests, I found that once a machine has run Guninski's demo, the exploit still works later, even after you apply the work-around.

However, if the change is made before a machine visits Guninski's site, his demo cannot automatically have its way.

Instead, you are presented with the prompt I mentioned earlier: "Do you want to allow software such as ActiveX controls and plug-ins to run?" If in doubt, you should answer No to this question.

In Guninski's case, it's safe to click Yes to see for yourself how a Web site or e-mail can read your entire hard drive.

WatchGuard's Fallin says his company's firewall products can stop Java applets if you configure the hardware that way. "But we can't require one policy that works in all situations," he says. Instead, he says companies must judge for themselves "the trade-off between usability and security."

For information and Microsoft's patch, go to www.microsoft.com/technet/security/bulletin/fq00-081.asp.

ICANN board re-elects itself

I reported last week that Internet users around the world elected five new directors to the board of ICANN (www.icann.org), the Internet's coordinating body. Four more directors were due to be elected at a later date, making half of the organization's 19 directors elected rather than appointed.

Remarkably, ICANN announced on Oct. 27 that its board has extended by two years the terms of four directors who were supposed to leave.

This appears to eliminate the possibility of having free elections for these four seats.

In an interview regarding the recent announcement, Mike Roberts, ICANN's executive director, said that, because the far-flung board meets quarterly, "most of the dialog [about the decision to extend the directors' terms] was done by e-mail."

However, he added, "The decision to do it that way was made back in Cairo," where the board met in March 2000.

Legal experts, including University of Miami law professor Michael Froomkin, immediately called upon the four directors to resign. Froomkin notes on his Web site that ICANN's original bylaws prohibited the "interim" appointed directors from staying past September 2000. (For his page and a link to ICANN's announcement, see personal.law.miami.edu/~froomkin/boardsquat.htm.)

This should make for an interesting board meeting in Marina del Rey, Calif., next week.

Get Livingston free by e-mail

You can now receive this column every Monday, free by e-mail. Go to www.iwsubscribe.com/newsletters and click Window Manager.


Brian Livingston 's latest book is Windows Me Secrets (IDG Books). Send tips to brian_livingston@infoworld.com. He regrets that he cannot answer individual questions.



RELATED SUBJECTS

Business News
Operating Systems
Web Technologies
MORE >
SUBSCRIBE TO:    E-mail Newsletters  InfoWorld Mobile InfoWorld Magazine
Home  //  Article Print Article    Email Article
Back to Top
 ADVERTISEMENT
 

SPONSORED LINKS

Download the J.D. Edwards CRM white paper. Visit jdedwards.com/crmpaper
Gateway: Your Reliable IT Provider of Business Technology Solutions
Learn to secure your PCs from new and unknown hacker attacks.
Get FREE Hurwitz Report: Control Your App Dev Costs with TogetherSoft!
Click here to receive a FREE Success Kit from Oracle.

SUBSCRIBE
E-mail Newsletters
InfoWorld Mobile
Print Magazine

Web-based training
ABOUT INFOWORLD  |  SITE MAP  |  EMPLOYMENT  |  PRIVACY  |   CONTACT US

Copyright 2001 InfoWorld Media Group, Inc.