Not an area in which I am knowledgeable, but is it as bad as it sounds?
Microsoft's new Internet Explorer 4 allows the hiding of commands in an
email or Web page that secretly send files to unauthorized people.
Internet Consultant Ralf Hueskes, who reviewed IE4 for the German computer
magazine c't, considers this security hole a severe problem for end users
and companies: "Even a corporate network secured by a firewall is not
protected against this attack." The security hole is not an error in the
code, but has its reasons in the concept of the program, he says. It even
exists when the browsers security options are set to the standard values
The only obstacle for the intruder: he has to specify exact path names or
Intranet addresses for the files. Since a lot of programs, e.g. when
running with Windows, use standardized directory names, the thief has a
good chance to get the security file for a homebanking program, for example.
A spokesperson from Microsoft stated "Microsoft regards the failure not to
be severe", he said, "It wouldn't be possible to change or destroy files
Detailed information about the IFRAME security hole and protection
mechanisms can be read on the Web server of Ralf Hueskes
(http://www.jabadoo.de/press/ie4_us.html) and also in the upcoming issue
12/97 of c't, that will be published on October, 27th. (ct/jk)
excerpted from Verlag Heinz Heise GmbH & Co KG NewstickerAdmin 1.41