#1
  1. Web Developer
    Devshed Novice (500 - 999 posts)

    Join Date
    Oct 2001
    Location
    Finland
    Posts
    719
    Rep Power
    15

    Security bug in IE 5.5+


    I thought this might worth attention of a few people. It seems that IE has a huge security issue with cookies saved into it. With a simple code you can extract information from those cookie, although the cookie has been set to show information only on the sites that it was created in. The problem was found by Online Solutions Oy.

    You can read the Microsoft Security Bulletin MS01-055 for more information.
    -- Tomi Kaistila
    -- Developer's Journal

    The more you learn, the more you know.
    The more you know, the more you forget.
    The more you forget, the less you know.
  2. #2
  3. No Profile Picture
    myOstrich Internet
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2001
    Posts
    28
    Rep Power
    0
    The continued lack of quality control in software from the largest software company in the world never ceases to amaze me.

    The sad thing is there are so few viable alternatives for the mainstream, that Microsoft does not have to care and they will still make money hand over fist on their software.

    Cookies are safe! Cookies are safe! Ooops. No they are not, sorry.

    I've now gone through and deleted cookies I felt were at risk. It amazing how many I had that potentially would let someone order from Amazon in my name, or get into my 401k account, or...

    -t
  4. #3
  5. Web Developer
    Devshed Novice (500 - 999 posts)

    Join Date
    Oct 2001
    Location
    Finland
    Posts
    719
    Rep Power
    15
    The thing is that there is no guarentees that this bug wouldn't be found in IE 5 or in older versions too. Personally this puts me to inspect my own Authentication Class with a magnifying glass. This also raises a new motto: don't trust other people's security, trust your own...

    That sounds pretty good. Maybe I'll put it on my signature
    -- Tomi Kaistila
    -- Developer's Journal

    The more you learn, the more you know.
    The more you know, the more you forget.
    The more you forget, the less you know.
  6. #4
  7. No Profile Picture
    Python Prophet
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2001
    Location
    Amersfoort, The Netherlands
    Posts
    45
    Rep Power
    14
    Go use K-meleon now. Mozilla is too bloated, but K-meleon is almost the perfect browser.
    Some people, when confronted with a problem, think I know, I'll use regular expressions. Now they have two problems. - Jamie Zawinski, in comp.lang.emacs
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2001
    Location
    London
    Posts
    69
    Rep Power
    13
    I notice that as soon as the thread started the second response was anti microsoft. One thing I would raise about cookies is that as developers arn't we encouraged not to use cookies to hold sensitive data in them? I know my supervisor on my industrial year at uni made dam sure we used sessions instead which are securor.

    You say that it still surprises you that Microsoft lets bugs through in its code, true. How many people who code and tested there site throughly have passed it bug free only to have someone ome back an hour later with a great big bug in there that you hadn't foudnd? Alos Microsoft's size plays against them, they have more software used by more people on the market than anyone else so of course people are going to try and show that Microsoft is bad.

    Right my rant's over. Just to say I ain't anti nor pro Microsoft I just think that people automatically go anti microsoft as soon as they hear the name.
    Humble Seeker

    The longest journey starts with the smallest step, and knowledge is the longest journey of all.
  10. #6
  11. No Profile Picture
    myOstrich Internet
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2001
    Posts
    28
    Rep Power
    0
    Originally posted by Humble Seeker
    I notice that as soon as the thread started the second response was anti microsoft. One thing I would raise about cookies is that as developers arn't we encouraged not to use cookies to hold sensitive data in them? I know my supervisor on my industrial year at uni made dam sure we used sessions instead which are securor.[clip].
    Yes, that was my post and it was anti-Microsoft. I am sick and tired of their lack of quality and security. They own the market almost entirely due to their marginal business practices. Customers are not their concern, selling them new versions of Office every year because they refuse to be forward compatible is their primary concern. This sickens me.

    I've been developing software commercially or professionally for the past 20 years, and I've never seen as much garbage come out of one development house in my life. I have junior programmers who are more professional in their coding practices than what I see coming out of the largest softare house in the world.

    Microsoft is not interested in quality software, they are solely interested in their marketing plans.

    I have intimate past involvement with the processes used in Redmond, and I can tell you that product security and product quality are second to the marketing plan - which drives the development plan. There is no excuse for it. They don't need to ship poor quality, buggy, insecure software to continue to own the market. The fact that they own the market makes them continue to ship junk as software.

    Did you know that they have the largest automated testing facility in the world, and that it's virtually impossible to get time in the lab for testing because of their poor internal quality control? How many times do you need to be exposed by a buffer overflow problem before you solve it once and for all in your core internal library routines that deal with I/O? For most companies of this size, that would be once. For Microsoft, the development practices that learn from past mistakes and build quailty code on top of quality code do not exist.

    As for storing sensitive information in cookies, what can you store now in a cookie that is not sensitive - knowing that I can harvest all your cookie data when you visit my website. What's NOT sensitive that you would even bother to store? Store a key to a session ID on a server that expires in 10 minutes. Anything else leaves you open to attack.

    Thanks Microsoft.

    -t
  12. #7
  13. Web Developer
    Devshed Novice (500 - 999 posts)

    Join Date
    Oct 2001
    Location
    Finland
    Posts
    719
    Rep Power
    15
    Humble Seeker: As much I'd liked to agree with you, I can't. I was personally a fan of Microsoft. I still like their internet browser more than any other browser. But we have to face the facts here. What thewitt said was to the core of the fungus.

    About what to store in the cookie that's sensitive, hasn't it been a policy to store user information to a cookie so you can display (for example) the "right" banners for that user. What would such a cookie contain? Anybody can do that, but only the wisest store only an DB or session id to the cookie, so you can quickly check the user from your databases. But lets take a look at a Auth class. I have one, it's pretty secure, atm.

    I think it's now up to us, developers to be "smarter" than the software houses and produce products that doesn't fall into pitfalls, created my the big software houses. I managed to make a small measure that protects your password and username, even if stored into a cookie. Simple, crypt it. You make a string, from (for example) names, countries, ids, and basicly anything you have about the user, and then just crypt that. It would be almost impossible for crackers to know what strings you used to create the encrypted word.

    Anyway, thewitt talked about smart things about smart developers. I agree with him and support such policies, although I am only a low web developer. I think the largest software house in the world should be able to do that too...
    -- Tomi Kaistila
    -- Developer's Journal

    The more you learn, the more you know.
    The more you know, the more you forget.
    The more you forget, the less you know.
  14. #8
  15. Web Developer
    Devshed Novice (500 - 999 posts)

    Join Date
    Oct 2001
    Location
    Finland
    Posts
    719
    Rep Power
    15

    Exclamation Security patch from Microsoft


    Okei people,

    MS finally published a patch for us all IE users to update our browser to more secure. This should fix the security bug in the cookie that anybody can read your cookie, regardless of where you surf. But developers should stay alert, there will be also people who don't have this patch. So lets try keep our scripts secure...

    Get the patch from http://www.microsoft.com/windows/ie/...61/default.asp
    Last edited by Datamike; November 19th, 2001 at 01:49 AM.
    -- Tomi Kaistila
    -- Developer's Journal

    The more you learn, the more you know.
    The more you know, the more you forget.
    The more you forget, the less you know.

IMN logo majestic logo spyfu logo threadwatch logo seochat tools logo