Re: AOL IE settings concern

From: depp (jdepp99@cox.net)
Date: 05/03/02 

From: depp <jdepp99@cox.net>
Date: Fri, 03 May 2002 00:46:31 GMT

HEH they said AOL
Americas Orginization of Lewsers

1. Problem <AOL>
2. Solution FUCKING GET RID OF IT BURN IT AND PROTEST EVERYTHING THAT
HAS AOL ON IT

On Thu, 02 May 2002 19:39:21 -0400, Phil <sorry_I'm_not@home.now>
wrote:

>*AIM USURPS IE SECURITY CONTROLS
>
>By Shawna McAlearney
>Calling a problem in AOL's Instant Messenger (AIM) an "issue of
>critical importance to both home and business users," several security
>experts have expressed concerns that some AIM installations can modify
>users' Internet Explorer (IE) security settings.
>
>These concerns stem from an AIM modification to IE security settings
>that places https://free.aol.com in the Trusted Sites Zone, a security
>setting in IE that grants user-defined trusted Web sites and intranets
>special rights on a target computer.
>
>"I think it's a high security risk," says Christian Piper, technical
>director of FuzzyGroove Media Network. "The whole idea of the Trusted
>Zone policy, according to Microsoft, was to give the user more control
>to either accept or deny the storing of sensitive information. The AIM
>installer just throws that whole concept out of the window."
>
>However, the situation appears to have taken on a new complexity,
>according to Michael Damm, a freelance security expert and a network
>administrator at Irwin Research & Development. He says that if a
>typical user clicks one of the many "Free AOL and Unlimited Internet"
>icons on their system, or one of the 5,800 links to this domain that
>Google turns up, AOL can run the code of choice without prompting.
>
>"This in itself is a large security hazard, allowing a Web site to run
>potentially malicious code without consent. I have also located two
>cross site scripting vulnerabilities in AOL's signup Web site that
>could be used by a malicious Web site to inject its own dangerous
>JavaScript or ActiveX content," says Damm. "Since Internet Explorer
>interprets this code as coming from free.aol.com and trusts it under
>the security settings configured for that domain."
>
>Researchers say potentially malicious JavaScript and ActiveX controls
>can be placed into this imbedded code and could lead to a compromise
>if users click on links found on Web sites, inside e-mails, or from
>chat and instant message conversations.
>
>"By utilizing these methods in my research I was able to execute
>programs both from a users local hard drive and downloaded
>automatically from the Internet without any prompts or warnings from
>Internet Explorer," says Damm.
>
>"This is not an issue that can be directly dealt with by a vendor
>patch, since it deals with the products installers and
>misconfigurations of AOL's Web servers," adds Damm. "All users should
>check their computers by opening Internet Explorer, clicking Tools,
>Internet Options, the Security tab, the Trusted Sites icon, the Sites
>button, and removing https://free.aol.com, if it is listed."
>
>(Add it to your Restriced sites)
>
>
>
>SECURITY WIRE DIGEST, VOL. 4, NO. 29, APRIL 15, 2002
>Security Wire Digest (BPA membership applied for, December 2001) is an
>e-mail newsletter brought to you on Mondays and Thursdays by
>Information Security magazine
>

Quantcast