IE exposing URLs to msn.com and alexa.com?

From: Stewart Smith (stewartsmith_at_mac.com)
Date: 06/17/03

  • Next message: KF: "Java class obfuscation"
    Date: Tue, 17 Jun 2003 10:52:34 +1000
    To: vuln-dev@securityfocus.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Has anyone been able to verify this?

    http://www.secunia.com/advisories/8955/

    Internet Explorer Exposes Sensitive Information

    Release Date:
    2003-06-06

    Critical:
    Moderately critical

    Impact:
    Exposure of sensitive information

    Where:
     From remote

    Software:
    Microsoft Internet Explorer 6

    Description:
    A vulnerability has been identified in Internet Explorer, which exposes
    sensitive information to "msn.com" and "alexa.com".

      While this is a known "feature" when the "Show Related Links" option
    is activated in Internet Explorer, there is a bug, so that Internet
    Explorer will keep transmitting the information to "msn.com" and
    "alexa.com" after "Show Related Links" has been de-activated. This
    occurs whenever "Ctrl+R" is used to reload a page.

      To make matters worse, it has been confirmed that this behaviour also
    affects SSL enabled pages. One thing is that Microsoft has chosen to
    make a "feature", which reveals this information to "msn.com" and
    "alexa.com", but the fact that information, which was supposed to be
    protected by SSL and sent only to one site, is sent in plain text to a
    third party ("msn.com" and "alexa.com") is of great concern.

      The data transmitted to "msn.com" and "alexa.com" is the complete URL.
    In some cases this could contain sensitive information such as
    username, password, session id, search string, "secret paths", and more.

      The vulnerability has been confirmed for Internet Explorer 6 on
    Windows 2000 and Windows XP with all Service Packs and hotfixes.

      It is Microsoft that controls who else than "msn.com" should receive
    this information. Microsoft could at any time choose to send this
    information to another party than "alexa.com".

    Solution:
    We recommend that you filter traffic at your perimeter so that no data
    may be sent to "msn.com" and "alexa.com".

      Make sure that you don't use the "Show Related Links" feature or that
    you close your browser after you have used it.

      For other alternative solutions see "Other References".

    Reported by / credits:
    Mike Shepherd

    Changelog:
    2003-06-09 Minor correction. Added link to alternative solutions.

    Other References:
    http://www.imilly.com/alexa.htm#subvert

    Stewart Smith
    stewart@gammasolutions.com
    Programmer / UNIX Sys Admin

    Gamma Solutions Pty Ltd
    Monash Corporate Centre,
    Unit 11, 20 Duerdin Street,
    Clayton, Victoria 3168
    Phone: +61 3 9562 7755
    Fax: +61 3 9562 7766
    Mobile: +61 4 3884 4332
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (Darwin)

    iD8DBQE+7mZZFtJC9tN9SokRAo1zAJ93g0roDJlfeZXSI5CQXY99X5t+ZgCgl9Wq
    kK3vp6lnViXndwoYPkXrj0E=
    =3zvI
    -----END PGP SIGNATURE-----


  • Next message: KF: "Java class obfuscation"

    Relevant Pages

    • Re: IE exposing URLs to msn.com and alexa.com?
      ... On Tue, 17 Jun 2003, Stewart Smith wrote: ... > Internet Explorer Exposes Sensitive Information ... One thing is that Microsoft has chosen to ...
      (Vuln-Dev)
    • Re: Probable spyware problem
      ... > when i open the internet explorer, and is causing the google, yahoo ... Microsoft has these suggestions for Protecting your computer from the ... keep it clean,secure and running at its top performance mark. ... I'll mainly work around Windows XP, as that is what the bulk of this ...
      (microsoft.public.windowsxp.security_admin)
    • Re: OWA slow for users to pull up
      ... Please open the ISA Server management console, ... In the right pane, switch to the 'Logging' tab, make sure the 'Task ... 'Microsoft Firewall' service. ... Open Internet Explorer ...
      (microsoft.public.windows.server.sbs)
    • Re: regedit
      ... >> internet explorer has always been set with that link as default.I ... > Microsoft has these suggestions for Protecting your computer from the ... > keep it clean,secure and running at its top performance mark. ... > I'll mainly work around Windows XP, as that is what the bulk of this ...
      (microsoft.public.windowsxp.general)
    • RE: home page
      ... Important This article contains information about modifying the registry. ... 256986 Description of the Microsoft Windows Registry ... Your Internet Explorer home page has been changed to a different Web site ... You cannot change your home page selection to the Web site that you want. ...
      (microsoft.public.windowsxp.accessibility)