Thursday, April 18, 2002
IE Back Button Exploit -- 12:37 pm CST, Update by A.T. Hun
Wired brings word of another Internet Explorer vulnerability that can be activated simply by hitting the back button. Here's the problem:When a Web page fails to load, Explorer displays a standard error message. This message is set to operate in the "Local Computer Zone" security setting, which by default allows scripting to run automatically.While it sounds like it would be somewhat difficult to exploit, I was surprised at M$'s response to the one who reported the problem:
Any code inserted in the original URL is handled as if it comes from the same security zone as the last URL viewed. So a URL containing malicious JavaScript that might be blocked by default if a user visits the site directly, will be automatically triggered when the user presses the back button.
A Microsoft spokesman said the Microsoft Security Response Center thoroughly investigated Sandblad's report "and determined that because the proposed exploit scenario is dependent upon specific user interaction as a prerequisite, it does not meet our definition of a security vulnerability."Apparently they are now in the business of redefining terms too. How can clicking the back button not be a "standard best practice"? Almost too bizarre. Thanks HardOCP.
"The proposed exploit scenario requires the attacker to compel the users to click on the back button while visiting a malicious website. This scenario does not constitute a viable threat to users following standard best practices," the spokesman added.
Some users were surprised to find out that Microsoft believes that using the back button is not a standard, best security practice.
The Master comments: That's okay--once a Microsoft staffer hits a back button on the right site and some hacker pulls down all their secure info, then they'll change their tune.
Recent Headlines
January 5, 2015: It Returns!
August 10, 2007: SCO SUCKS IT DOWN!
July 5, 2007: Slackware 12.0 Released
May 20, 2007: PhpBB 3.0 RC 1 Released
February 2, 2007: DOOM3 1.31 Patch
January 27, 2007: Join the World Community Grid
January 17, 2007: Flash Player 9 for Linux
December 30, 2006: Darkness over Daggerford 1.2
December 19, 2006: Pocket Tunes 4.0 Released
December 9, 2006: WRT54G 1.01.1 Firmware OK with Linux/Mac
The Haus is powered by:
All original information on this website is copyright © TheHaus.Net, 1999-2005. The use of original images, text, and/or code from this website without expressed written consent is prohibited. The authors of this site cannot be held responsible for any damage, real or imagined, which comes from the use of information presented on this site. All trademarks used are the properties of their respective owners. This site is not to be used as a floatation device (but if you try, I want a video tape of it).
![[Valid RSS]](/images/valid-rss.png "Validate my RSS feed")