exploit fix breaks CDO access

From: Biff (biffinpitt_at_comcast.net)
Date: 07/04/04 

Date: Sat, 3 Jul 2004 23:30:42 -0700

Here's the complete link for the test:

http://secunia.com/multiple_browsers_frame_injection_vulner
ability_test/

>-----Original Message-----
>Hi Folks!
>
>Just an FYI:
>
>I followed a suggested fix that is suppossed to eliminate
>the current "spoofing" exploit and discovered that the
fix
>breaks access to these newsgroups if you use the CDO
>interface. (web access)
>
>The fix calls for setting "Navigate sub-frames across
>different domains" to disabled. It seems that these MS
ngs
>use that functionality !!!!!!! Go figure !!!!!!
>
>With that setting disabled you can open the site but you
>can't open or read any of the posts. A security fix that
>won't let you access a security forum. How's that for
>irony ???
>
>>From an article at Net-Integration: Credit to
>AplusWebmaster.
>
>Microsoft Plugs IE; Report Warns All Browsers At Risk
>- http://www.techweb.com/wire/story/TWB20040702S0007
>July 2, 2004 (3:34 p.m. EST) - By Gregg Keizer, TechWeb
>News
>"As if to prove the point that security is like the Dutch
>boy at the dike, Microsoft on Friday released a stop-gap
>fix for one of several vulnerabilities that have plagued
>its Internet Explorer just as a security firm warned that
>virtually every browser -- not just IE -- can be spoofed
>by hackers. The update, which Microsoft tagged
>as "Critical", isn't a patch per se, but rather an change
>to Windows that disables the ADODB.Stream object within
>the operating system's Data Access Components
>(DAC)...Wednesday, Secunia issued a warning saying it had
>discovered a vulnerability within IE that allowed
scammers
>to spoof, or fake, the content of a site displayed in the
>browser.
>- On Friday, however, the security vendor modified the
>alert to claim that virtually every browser, from
Internet
>Explorer and Mozilla to Opera and Netscape -- including
>browsers for both Windows and the Mac OS -- has this
>flaw. "It's not a code vulnerability," said Secunia's
>Kristensen, "but a design flaw." The problem stems from
>how browsers handle frames. "Some time ago, browser
>designers decided that one site needed to be able to
>manipulate the content of another, and the functionality
>was adopted by everyone," said Kristensen. But hackers
can
>use this to inject phony content -- say their own credit
>card-stealing form -- into a frame of an actual trusted
>Web site, such as a user's online bank. "In these times
of
>phishing attacks and other scams, this is a problem,"
said
>Kristensen. "You're visiting a bank or an e-commerce
site,
>and you're certain of that site, but meanwhile, it's
>[actually] open in the background to content change by
>hackers." Internet Explorer users can stymie such
spoofing
>attacks by disabling the "Navigate sub-frames across
>different domains" setting under Tools/Internet
>Options/Security.
>Secunia offered up a quick test that users can run to see
>if their current browser is vulnerable to this problem."
>>>>
>http://secunia.com/multiple_browsers_frame...erability_tes
t
>/
>
>Biff
>
>
>.
>