Here's info about the IE 3.0 fix from Microsoft. Patch and explanation
available at URL
Now back to Firewall issues. This problem would not impact sites using
or application gateways. Direct dial-up Internet access and Direct LAN
would be vulnerable.
>From: Ashwin Kumar[SMTP:kumar @
>Sent: Monday, August 26, 1996 12:53 PM
>To: Bill Stout
>Cc: Bill Stout; Firewalls @
>Subject: Re: MS Explorer 3.0 'Serious security flaw'?
>On Fri, 23 Aug 1996, Bill Stout wrote:
>:Date: Fri, 23 Aug 1996 16:34:29 -0700
>:From: Bill Stout <bill .
>:To: Ashwin Kumar <kumar @
>: Bill Stout <bill .
>:Cc: Firewalls @
>:Subject: Re: MS Explorer 3.0 'Serious security flaw'?
>:At 02:13 PM 8/23/96 -0700, Ashwin Kumar wrote:
>:>On Fri, 23 Aug 1996, Bill Stout wrote:
>:>:Anyone know what the 'serious security flaw' is in MS Explorer 3.0?
>:>The core of the attack is a technique for delivering a document to
>:>victim's browser while bypassing the security checks that would
>:>be applied to the document. If the document is, for example, a
>:>Word template, it could contain a macro that executes any DOS
>:>command. The attacker could arrange things so the macro was executed
>:>automatically as a consequence of the victim visiting the attacker's
>:What makes this an Explorer-specific problem?
>:If I'm not mistaken, _any_ browser will open a .doc or .xls document
>:helper application is defined. Word and Excel macro viruses are not
>:I thought it would've been an Active-X or e-mail scamming hole.
>:I don't think a firewall can be configured to filter Word/Excel macro
>In order to avoid the problem you describe, IE will prompt user for a
>warning them that the document could be "dangerous".
>The bug is that using some unspecified technique, the document will be
>downloaded without that dialog ever showing.