Re: Microsoft IE cookies readable via about: URLS

From: Jeffrey W. Dronenburg (dronenjw@us.hsanet.net)
Date: 11/10/01

• Previous message: IT Resource Center : "security bulletins digest"
• Maybe in reply to: Jouko Pynnonen: "Microsoft IE cookies readable via about: URLS"
• Next in thread: Clover Andrew: "Re: Microsoft IE cookies readable via about: URLS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Message-ID: <008c01c1697b$d6c03860$a777d818@us.hsanet.net>
From: "Jeffrey W. Dronenburg" <dronenjw@us.hsanet.net>
To: <nick@virus-l.demon.co.uk>, <bugtraq@securityfocus.com>
Subject: Re: Microsoft IE cookies readable via about: URLS
Date: Fri, 9 Nov 2001 19:08:33 -0500

Nick FitzGerald <nick@virus-l.demon.co.uk> wrote:

<snip>
> A better workaround (assuming that you feel cookies are "relatively
> useful" and would rather not turn them off) is to put about: URLs
> into the Restricted Sites zone, as detailed in Andrew Clover's
> followup to his own post:

> http://www.securityfocus.com/archive/1/222552

> In short, create a DWORD value named "about" under:

> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\ProtocolDefaults

> and set it to 4.

> I just tested this against your test page and with the above value
> set, the test tells me "No cookies found for site...".
> Interestingly, this registry change seems to have almost immediate
> effect -- i.e. it did not require a restart or logout/login or even
> an IE exit/restart (I did this on Win2K) but occasionally, when
> running the test page over and over alternating back and forward
> between having the above value set and not present (the default), the
> page would work as if the registry value had not yet been changed.

<snip>

I validated your test results with Windows 98 SE (4.10.2222A) in a
multi-user environment and Internet Explorer 5.5 (5.50.4807.2300IC with SP2;
Q306121 installed), both fully patched with latest updates. I also
validated your test results with Windows Me (4.90.3000) and Internet
Explorer 5.5 (same version as above) and then again after upgrading to IE
6.0 (6.0.2600.0000).

In all cases, the registry change did not require a system reboot to take
effect.

However, when I attempted to validate your test result with IE 5.5 by
toggling the registry settings between "0" and "4", I noticed that
increasing the security setting takes effect immediately, while reducing it
requires a new instantiation of IE and will not take effect in the current
window. Changing the registry value from "0" to "4" would change the output
results on the test Web page from displaying cookies to reporting "No
cookies found for site...". Resetting the value from "4" to "0" had no
effect the current instantiation of IE, but the new registry value would
take effect upon opening a new IE window, but still not in the previous IE
window. (Isn't multi-tasking fun? <smirk>).

This wasn't the case with IE 6.0, however. Toggling the registry settings
between "0" and "4" took immediate effect in the current window when both
increasing and decreasing the setting.

Therefore, increasing the cookie security setting will take effect
immediately in both IE 5.5 and 6.0 in all open IE windows. Decreasing the
setting will only take effect in a new window in IE 5.5 regardless of
whether or not the previous windows (including the REGEDIT window) are still
open or not. Decreasing the setting in IE 6.0 will have immediate effect
and make the browser vulnerable to the exploit.

Cool stuff! Thanks, Nick, for reminding us of Andrew's post.

Cheers,
Jeff

Jeffrey W. Dronenburg, Sr.
MIS Major, Univ. of Maryland, Univ. College
Alpha Sigma Lambda
Phi Kappa Phi

"A day without learning is like apple pie without ice cream. They're both
much sweeter the other way around." -Me! :-)

---

• Previous message: IT Resource Center : "security bulletins digest"
• Maybe in reply to: Jouko Pynnonen: "Microsoft IE cookies readable via about: URLS"
• Next in thread: Clover Andrew: "Re: Microsoft IE cookies readable via about: URLS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: - Yahoo ups the ante, hijacks browsers through Adobe Reader 7 ... One has to be a bit careful when deleting *everything* in the "Downloaded Objects" file. ... General tab. ... In the System Configuration Utility window, ... Remove all suspicious items from the registry ... (microsoft.public.windows.inetexplorer.ie6.browser) Re: XP Home shows lsass.exe message ... Restore by backing up and replacing the current Registry files ... Hope this helps you with the Acer laptop, Mattias - you might try ... (and underneatht that, in the same window) ... Ron Martell Duncan B.C. Canada ... (microsoft.public.windowsxp.help_and_support) Re: Please Help - MCX unable to connect ... expired and is throwing up a window which the MCX can't dismiss. ... >started my PC (the MCX was still in standby) and found the following Errors: ... >running the Media Center Experience, 'License Expiration Notice', with file ... >registry while an application or service was still using the registry during ... (microsoft.public.windows.mediacenter) RE: Cant change home page, read others post ... The entry in the registry did change to the new ... homepage on the IE internet options window. ... "nass" wrote: ... and settings transfer to set it origonally when I bought the computer. ... (microsoft.public.windows.inetexplorer.ie6.browser) Re: CATCH-22 wont let me save the file ... I opened VBE, hit Ctrl-G, the Immediate Window opened, I cut and pasted the ... Cancel As Boolean) ... (microsoft.public.excel.programming)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)