Great Circle Associates Firewalls
(April 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Microsoft Explorer -Reply
From: Scott Fagg <scott . fagg @ arup . com>
Date: Wed, 16 Apr 1997 03:37:42 +0000
To: firewalls @ greatcircle . com 
There are also instances where netscape or IE can send your
username and encrypted password to an abitrary server on the net.

a tag like file:\\server\share in html when on NT or 95 convinces
the OS to try and connect to the server using SMB (ie windows file
sharing) and part of this entails sending the username/password.

There is a site on the net where you browse a page and it TELLS
YOU your username and encrypted password! (cant remember URL)

the solution is to run behind a firewall and not allow netbios to
pass.



>>> Christopher Curtis <ccurtis @
 facm .
 fit .
 edu> 16/April/1997
12:19am >>>
On Tue, 15 Apr 1997, Harry Munir Behrens wrote:

> Mike's mail is obviously meant as a joke! Of course M$ is NOT
going 
> to scan for a copy of Netscape Navigator and infect it with a
virus or
> automatically debit your creadit card!

Just in case there is any confusion (while the sarcasm level on
this list
may be high, its apparency is not) there are pages that have
embedded
Active-X controls that when visited by MSIE (the only browser
currently
supporting Active-X) they will, in fact, scan your harddrive for a
copy of
Quicken or MS-Money and set them up to automatically debit your
account by
transferring funds from your account to theirs.  Of course, in
order for
this to happen, you have to allow the Active-X through (most
people turn
off the dialog boxes anyhow, so this _is_ a problem) and do online
banking.  I don't know the number of people who fit this profile,
but the
possibility is out there.  There are also pages that if visited
using MSIE
on an Intel machine will shut the machine off, or at least, close
the
operating system (some computers will turn off when Win95 exits). 
Likewise, it would be trivial to put a virus on your computer
using these
methods.  "Gee, what is this 'readme.doc'?  I don't remember
writing
that..."  This can be considered a biased opinion, but anyone
remotely
interested in security (such as those on a firewall list) should
avoid MS
products and especially "innovations" as the dearth of security
they are.
Then again, when dealing with MS, the firewall is probably the
first line
of defense.  Too bad not everyone will set up a (non-MS) firewall
at home. 

Flames to /dev/null,
Christopher
Follow-Ups:
Indexed By Date Previous: opening arbitrary ports- bad idea, or acceptable? -Reply
From: Scott Fagg <scott . fagg @ arup . com>
Next: Firewalls-Digest V6 #159 -Reply
From: Joel Wiley <jwiley @ cdpr . ca . gov>
Indexed By Thread Previous: Re: Microsoft Explorer -Reply
From: mike . johnson @ rtp . gtegsc . com (Mike Johnson)
Next: Re: Microsoft Explorer -Reply
From: Steve Birnbaum <sbirn @ netmedia . net . il>
Google
 
Search Internet Search www.greatcircle.com