Internet

Internet & Computers

Internet Explorer 6 Vulnerabilities

By Domingo Amarillo

What's the latest here? Well, nothing really, its business as usual. So, it doesn't come as a surprise that Microsoft were in a rush to get Internet Explorer 6 out the door and forgot to take that extra bit of time to debug and test it for security cracks.

If you're wondering how the heck a browser can be hacked, read on. Most important to note, Microsoft's implementation of client side JScript (Microsofts version of JavaScript) exposes some simple security flaws that allow us to use common JScript functions such as document.open and document.write to spoof another site, steal cookies, and more worryingly physically read existing files on a users machine (all through one or two lines of code.)

Unfortunately, if you're using the standard version of Internet Explorer 6 then you're not safe. The code snippets were tested with both IE6 version 6.0.2479.0006 and version 6.0.2600.0000 and both were prone to the flaws. This is the consequence of someone being able to manipulate your local files from a remote location.

This bring up the important question "Is it worth it to install IE6?". Considering that there are several other browsers available for free (such as Netscape 6 and Opera 5, both of which do a great job of rendering pages closely to the W3C standards), is it worth sacrificing the integrity and security of your system just to get a couple of Internet Explorer 6 options such as smart tags? "I think not!"

For more related articles go to the following link, http://osioniusx.com, you'll see a complete list of coding examples and methods used to exploit these holes. Their examples and info are great. Just to illustrate what I mean a couple of HTML pages were created to show you just how severe the holes are.

Cookies have taken their fair share of slack over the last couple of years, with many people insisting that cookies are not safe and that they can easily be "stolen" by another site. I, like many others, had simply dismissed this idea. If cookies are stored in a file on the visitor's computer, how can anyone access them remotely, right? It's just crazy. Indeed it is.

If you're running IE6, then the persistent cookies for any site you've visited can be stolen using two lines of JScript. Let's give this a test. Go and visit any site that lets you create a members account, but also lets you choose a "remember me for later" option. The "remember me for later" option is commonly used to allow visitors of a site to not have to re-enter their user credentials every time they re-visit the site. On smaller, less-global sites, typically a cookie is saved to the visitors' machine containing both the users login ID and password so that they can be logged in automatically the next time they visit.

Once you've created your new user account, remember the URL of the site. Create a new file named c:cookie_steal.html and enter the following code into it:

<html>
<head>
<title> Mmmmm Gimme Cookie!</title>
<script language="JavaScript">

</script>
</head>
<body bgcolor="#FFFFFF" onLoad="getCookie()">

</body>
</html>

Load the page in your browser and enter the full domain name (including the http:// part) of the site that you just joined into the popup box. I won't disclose the details of the site that I joined, but here's the output in my browser:

This is one major security flaw: cookies were designed and implemented in such a way that one site could never access the cookies from another site, either by client-side code or server-side scripting technologies. I guess it would be understandable if it took 100,000 lines of code and 25 mainframe computers to get the cookies of a remote site from your PC, but using a couple of lines of JScript, well, it's preposterous!

Think of all the ways that these cookies can be used and abused. If John Doe decides to create a page on his site that uses the JScript function above to get cookies from your PC (which could contain your user ID and password) for your online bank account and takes $10,000, them how do you prove it was him? There's no sign of forced entry, and you don't even know that your account details were stolen. Not good at all!

If you're using IE6, never select an option to "remember you for later". This could come back and bite you down the track, when you realize that someone has logged into one of your online accounts and has taken some of your personal data or belongings. Also, if you can live without cookies, do so. Set the security options in IE6 to notify you when cookies are being set, and only accept them if they contain jumbled data, such as an encrypted session ID or variable.

If you open a new web browser window using JScript in IE6 with something like "http://www.company.com" as the URL, then you'd be pretty sure that the page you're viewing actually comes from that domain, right? It's impossible to change the contents of a web page on another domain isn't it? Are you sure? Absolutely sure? Not!

Using just a couple of lines of JScript, you can open a new browser window containing the URL of an external site and modify the body of that page: AKA site impersonation.

Create a new page named c:site_impersonate.html and enter the following code into it:

<html>
<head>
<title> Site Impersonation </title>
<script language="JavaScript">

</script>
</head>
<body bgcolor="#FFFFFF" onLoad="openWin()">

</body>
</html>

Load the page up in IE6 and enter a fully qualified domain name in the popup window (I entered the name of my site, http://www.devarticles.com). Look at what happens when the JScript code opens a new window:

Think of the various scenarios where this could threaten your personal security. Next time you click on a link to pay for a credit card purchase and it opens in another window, be 500% sure that the site is who they say they are. To do this, right click in the middle of the page and click the properties option. Make sure the address of the site is actually http://www.payment-gateway.com or whatever the URL of the payment provider is. Here are the properties of the page that we just impersonated:

See how the address points to the script that opened the new window? If you're using IE6, always check the address of a page if you're about to enter sensitive information such as your address, phone number, credit card details, etc.

One final example show you how easy it is to grab the contents of a file from a users PC and send it back to a web server for processing and analysing.

The document.open function is used to open documents in a new window. When I say documents I'm roughly talking about HTML pages that reside on some remote server. With most browsers all you can open in a new window is remote documents, remote meaning those that need to be retrieved over a protocol, such as HTTP or FTP. Sure you can use the file:/// syntax to open a local file with most browsers, but you can't do this using client-side code from a remote web page right? or can you?

That's right, thanks to a couple more holes in IE6, it's now possible to see the contents of a file on a clients machine... all with one simple call to the document.open function. Create a new file named c:file_read.html. Enter the following code into it:

<html>
<head>
<title> Local File Reading </title>
<script language="JavaScript">

</script>
</head>
<body bgcolor="#FFFFFF" onLoad="readFile()">

</body>
</html>

The JScript code in the example above retrieves the contents of c:winntsetuplog.txt (which is the log from the installation of Windows 2000) and displays it in a text box on a web page. The location of the local file is specified in the fileLoc variable, and can be any file you like. The only criteria for this code to work are that the file must be either a HTML or text file, and must exist on the users PC.

If you're thinking that you can't do much with text files, then think about XML. XML is a based on text, and if quickly becoming the replacement for traditional INI files. If you knew where a user had an XML file residing on their hard drive, you could grab it and use IE6's built-in XML rendering engine (MSXML) to grab elements from the file. Furthermore, you could use JScript's object handling events to automatically submit that data back to a remote web server (form1.submit())... all while the client has no idea of what's going on. A definite security worry indeed!

Obviously the best way to protect yourself from this hole is to disable client-side scripting completely, raising your security settings to high if you feel the need to do so.

In conclusion, Microsoft had just released a patch to combat most of the holes described in this article. Visit this site for more information. You decide whether or not you’d like to use Internet Explorer 6 for your daily web browsing duties.

Resource Links:

CIPS CIPS Story osioniusx.com Microsoft's patch site

******

Security issues continue to plague the technology world, from new worms cropping up in Europe to Web site hacks in the United States.

Worms come in all shapes and sizes, and when they come bearing a picture of teen pop star Britney Spears, security experts are put on high alert. The bug, labeled variously as "VBS/Britney-A" and "VBS-BRITNEYPIC.A," is considered low-risk because it infected a small number of computer users in Europe after it was initially detected Thursday, computer experts said. Because Spears is often one of the most popular search terms online, security industry experts worry that an e-mail bearing the star's name--complete with its destructive payload--could spread widely.

Another worm disguise this week came in the form of a song. Songs found on file-swapping networks and played on a number of popular Internet media players, including Microsoft's Windows Media Player or RealNetworks' RealPlayer, could potentially carry a worm. That's because the players provide the ability to embed Web addresses and scripts--key ingredients in self-propagating, hostile code. Reports of the potential problem have raised old concerns about the ability of malicious file-swappers to "poison the pool" of files traded on swapping networks.

The New York Times' internal operations network was on the receiving end of an unauthorized visit by Adrian Lamo--the curious hacker who has hit such high-profile companies as Yahoo, Microsoft and Excite@Home. Lamo said he viewed employee records--including Social Security numbers--and accessed the contact information for the paper's sources and columnists, including such well-known contributors as former U.S. President Jimmy Carter, former Marine Col. Oliver North, and hip-hop artist Queen Latifah.

Microsoft this week continued its search for better security. The company announced that its Windows.Net Server, the successor to its Windows 2000 Server operating system, will not ship during the first half of 2002, as the company had earlier indicated. The company now hopes to issue the first release candidate--or near-final testing version--sometime in the summer and a final version later in the second half of the year. Conceivably, many customers might not receive the product until next year.

Analysts said that Microsoft might use the extra time to improve .Net Server's security features, in response to Chairman Bill Gates' "Trustworthy Computing" initiative. In a mid-January e-mail to Microsoft employees, Gates said the company must make security a top priority, even more than new product features.

In other Microsoft security news, the company said it would deliver the first major update to Windows XP as early as the third quarter. Microsoft plans to present some significant technology enhancements, along with the bug fixes that it typically includes in updates or service packs to operating systems such as Windows NT and 2000. A service pack is a cumulative collection of fixes and updates for a desktop operating system that otherwise would be available as separate downloads.

Windows XP Service Pack 1 will also deliver support for technologies that could allow PC makers to devise computers that go beyond more staid desktop and notebook designs. Service Pack 1 will introduce support for Mira "smart" display devices, the Tablet PC, and the multimedia-oriented Freestyle graphical interface.

In the chips
The Intel Developer Forum in San Francisco gave us a peek at the next generation of PCs. A year and a half from now, desktops and notebooks should be noticeably different.

Intel is trying to usher in design standards for computers that would result in more stylish and versatile machines. Wireless networking, for instance, will likely be a standard feature in mainstream computers by the second half of 2003, and both notebooks and desktops will be smaller and lighter by then. Further out, desktops will accept plug-in devices, and notebooks may integrate a second screen for calendaring or paging.

Intel is also focusing on communication devices. During the next 10 years, the chipmaker will turn its research and manufacturing expertise toward driving down the cost and size of radios, optical networking equipment, and other communications devices to the point where communication nodes will become omnipresent.

A year from now, for instance, laptops will contain chips that will let consumers more easily transfer from wired to wireless networks. Five years from now, radios will be so small they'll be tucked into a corner on a microchip, drastically reducing the cost and size of cell phones. Optical connections will be used inside computers to reduce power and heat.

In the near term, Intel plans to come out with a new version of the Pentium 4 code-named Prescott, which will enhance desktop performance through hyper-threading, among other changes. And although Intel spent considerable energy in 2000 and 2001 devising low-energy versions of its Pentium III chip for slim notebooks, it won't do the same with the Pentium 4.

Shutting down
StreamCast Networks' Morpheus--a file-swapping service that many have said would be impossible for courts to shut down--shut out its users this week, citing "technical problems." Computer users trying to log on to the service were greeted with a message telling them to upgrade their software to connect, although no newer version of the software was available.

StreamCast blamed Kazaa, another file-swapping company that had provided the basic software that served as the foundation of the Morpheus program. Kazaa and fellow software licensee Grokster have recently upgraded their software, while StreamCast has not.

The glitch is raising new questions about the future of the Net's free-music bonanza. Although the nature of the problem remains unclear, the shutdown has led StreamCast to consider dropping its current software. Such a move could create the biggest rift in the file-swapping world since a federal judge effectively shut down Napster last year.

In an interview, StreamCast Chairman Steve Griffin said the company in the next few days plans to release a new version of Morpheus based on Gnutella, an earlier open-source peer-to-peer alternative that has so far trailed in popularity.

And finally, Excite@Home went out of business Thursday, marking the final chapter for a networking and content giant that just a few years ago had a market capitalization of some $35 billion and was considered a serious rival to America Online. Far worse than the typical dot-com flameout, Excite@Home's demise affected thousands of employees and cost investors billions of dollars.

Were you able to keep up with the saga that was Excite@Home? Read the inside story you may have missed here in a News.com exclusive package on the company, its challenges, and its eventual downfall.

Merger madness
The war of words is picking up as the clock ticks down toward the vote for the proposed merger of Hewlett-Packard and Compaq Computer. Dissident HP board member Walter Hewlett said HP CEO Carly Fiorina and Compaq CEO Michael Capellas stand to reap a windfall $115 million from a proposed compensation package pegged to a successful deal between the two companies.

In rallying people to her side, Fiorina urged shareholders to "focus on the reality of the industry" when considering the proposed merger. At an analyst meeting, Fiorina painted a stark picture of the information technology industry, arguing that growth is slowing and companies will need scale to compete. Fiorina said the IT sector would face slower growth, price pressure, and increasing customer demand "with or without this merger."

But opposition to the merger is mounting. HP workers in Idaho are against the mega-merger by more than a two-to-one margin, according to a survey commissioned by merger opponent David Woodley Packard, son of HP co-founder David Packard. The survey builds on an earlier Field Research poll taken last week in Corvallis, Ore., and virtually mirrors the results of that survey.

Also of note
Apple Computer was awarded a technical Grammy by the National Academy of Recording Arts and Sciences for its contributions to the music industry and recording field...eBay is updating its privacy policy and user agreements, making it easier for the company to disclose members' personal information or to ban people from the site...America Online's sales tactics have landed it in federal court, where it stands accused of billing customers for unordered merchandise hawked in aggressive pop-up advertisements on its Internet service...The U.S. Supreme Court rejected an appeal in a case involving an attempt to shut down an adult Web site by the city of Tampa, Fla...An international array of environmental groups is charging computer makers and their consumers, along with the United States government, with using Asian nations as a dumping ground for hazardous electronic waste.

Want more? Check out all this week's News.com headlines

This is an Important Notice to All Hitsgalore.com Members

Pacifica Labs, Inc. has acquired the Hitsgalore.com web properties. The current Hitsgalore.com search engine and affiliate site will be taken offline as of March 29, 2001. Pacifica Labs, Inc. will release its own newly designed version of the search engine and affiliate site, incorporating some of the same features. The new search engine will also include many brand new features that we are sure will benefit all current members.

All member information will remain the same; all deposits on hand will receive full credit at transfer to the new site. Also all down lines in the old affiliate program will remain the same. Please note that all HitsMail account will be terminated, once terminated retrieval of email messages will not be possible.

Please bookmark the new site at: http://www.b2bsearch.tv. All Affiliates will have access to there down lines and self replicating marketing web sites as well.

We expect the new site to be online on or before April 5th, 2001.

Should you have any questions please e-mail: support@pacificalabs.tv, please allow us a few days to respond during this transition.

NETAID.ORG Provides Internet Access for Education

Children everywhere want to learn. But half of all children in Peru come from poor families, and in the capital city – Lima - many boys and girls between the ages of 5 and 9 are at a high risk of dropping out of primary school.

In general, they fail for want of early childhood education or other opportunities to succeed. Poverty and illiteracy are often handed down from generation to generation in households where there are no reading materials or expectations that life can be different for the young. Children from very poor families arrive in first grade unprepared for learning, and with classroom overcrowding, it makes it difficult for teachers to provide needed special attention. Repeated failure in early primary school leads to low self esteem among the children and encourages parents to pull them out before they achieve literacy, effectively reinforcing the cycle of poverty.

A remarkable program supported by www.netaid.org, the “Two for One” Learning for Life program, is now able to extend its reach to 16,000 more schoolchildren thanks to Netaid.org visitors. This program is channeling school materials and Internet Access “kits” to these extremely poor schoolchildren, while also providing a challenge for adolescents who often complain that there are too few meaningful challenges for them. The kits provide materials needed to begin the instruction. Through the Learning for Life program, high school students are given the opportunity to work in their free time with groups of primary schoolers from the poorest neighborhoods - helping to provide the support these children need to learn to read, write, reason and resolve problems.

"Learning for Life" is now in its third year with a record that shows that seven out of eight children who have participated are still in school. After only 8 weeks, children in the program perform an average 30% higher on standardized tests. They learn to read and write, improve their self-esteem, and get the skills and confidence they need to get more out of class and stay in school.

One special reward for the Learning for Life teen mentors is that they get Internet time to work with Netaid Online Volunteers managed by the United Nations Volunteers Program. Volunteers with Spanish language skills provide learning materials which the teenagers download locally. Visitors to the Netaid site are encouraged to support this educational research by purchasing Internet Access Kits costing $16. This kit provides three teen mentors with one hour per week of Internet access plus printing costs for the entire 8 weeks of the learning program.

For an electronic picture window on the Two-for-One program: www.netaid.org/go/view2for1

Guidelines to Follow When You're Surfing and Posting Messages in the Internet

Internet users better watch out what you post in the net. Thinking of using illegal or offensive words in your e-mail communications, read the latest publication of the Government of Canada about "Illegal and Offensive Content on the Internet: The Canadian Strategy to Promote Safe, Wise and Responsible Internet Use."

For more information, http://www.connect.gc.ca/cyberwise.

The Canadian Association of Internet Providers (CAIP) recently started a Web site the Protection Portal, that profiles groups that are working to increase consciousness on important Internet issues.

For more information, http://www.caip.ca/portal/portal-main.htm.

What is the Internet, Web-page and Desktop Publishing?

In 1994 the Internet emerged with an array of browsers and Hypertext Transfer Protocol (known as http://) and other standards used. Now, it is the year 2001 and in the computing world there are many forms of programming languages. It is just common sense that the standardization of software application comes as a natural progression. The core languages used to date are HTML, JavaScript, Java, XML and C++. The are other languages emerging and perhaps get recognition in the future, but for now the preferred language is one that interface with the internet and desktop applications (software).

PC Hobbyist are looking for that ultimate in CPU's, applications and devices. It can only get easier as we turn to a user friendly - plug and play format. The introduction of technology is rapid and depreciation of these devices are high. So do your research before getting your feet wet and there is nothing like having a computer in front of you to learn.

Many schools locally are providing training but not really getting the desired results. The Internet and world of computing is vast and talent is scarce. The market at the moment is attractive to the ones looking to expand themselves in this trade. Especially south of the border where you can earn in excess of $75K US dollars.

So what is this so called Internet, which we refer to as "CYBERSPACE". It is simply the inter-connection of many computers in a global scale. The connection of these computers enables communication back and forth rapidly. We are able to access information from bigger computers known as servers, which has one specific function. The connection of computers are referred to as a "NETWORK". You can access all sorts of enormous amount of information. The sources of these information can vary from an individual, groups and organizations. The topics cover literally from "A to Z", and it is a good learning tool with many applications both good and bad.

Now, what is a webpage? To use a metaphor it is like a page in a magazine. If you are familiar with the Internet the moment you open your Browser, something appears in the screen and that is a web-page. A basic web-page consist of text information, graphics, sounds and/or a combination of the above. The basic languages used are HTML and Javascript, which works well with Netscape and Microsoft Internet Browser. There are many degrees of sophistication with web-pages, so be prepared to be dazzled.

And Desktop Publishing, is simply creating your work with the use of a publishing tool/application ( ie, MS Word, Word Perfect, Front Page and etc.) installed in your desktop computer. There are many forms of media for example Print (newspapers, books and magazines), Radio, Television, Motion Pictures and the Internet.

Many homes in North America are not equipped with computers and we are about 300 million in population. Just think of the numbers and the opportunities. Are you interested in this trade? Do you fit in? Perhaps the best way is to find out is to do your research.

Related Links:

Address, Email, URL & Newsgroup

How to Create a Web-page

Recommended Download

Connecting Families to the Internet Program

The Quebec Government program "Connecting Families to the Internet" is available to people receiving family allowance from the Régie des rentes du Québec. This program offers partial financial assistance to purchase or rent a multi-media computer (Desktop/Notebook) and connection to the internet.

The subsidy for a desktop computer is a maximum of $500. The internet connection is $16.66/month for a 2 year period. There are limitations and it is better that you do your homework before you purchase a computer. Best advice that we can give is do not go overboard and spend over a thousand to purchase a computer. You can purchase a complete set for under $800 not including taxes. Remember when you apply the G.S.T. and the P.S.T. YES TAXES!!! the real cost of the supplement after taxes is not a lot. Be a smart consumer and pay only for what you can afford or get the best deal for your money. This program is available only with participating retailers. Do your research and do not be pressured into buying outside of your budget and purchasing blindly. After all it's money from your pocket not theirs, and one other thing the program ends on March 31, 2001. More information on "HOW TO SHOP FOR A COMPUTER"

For further information on Connecting families to the Internet surf the following site: http://www.familles.mic.gouv.qc.ca/

Related Links

Web Creation

The Montreal Tribune ISSN 1186-2165 ®

Signed articles are the responsibility of the writers and not those of the publisher and editors of this publication.

Any communication concerning this site should be addressed to the webmaster.

Staff Business Letters Feedback Links Investment Inq