mailing list archives
Re: Minor IE vulnerability: about: URLs
From: Simon Kornblith <slists () simonster com>
Date: Sat, 20 Oct 2001 09:34:25 -0400
On 10/19/01 5:47 PM, "Pedro Miller Rabinovitch" <pedro () ciphertech com br>
At 17:13 +0200 19.10.01, Clover Andrew wrote:
Assume all versions of IE/Win are vulnerable. Status of IE under other
platforms is unknown. Versions tested:
4.72.3612.1713 (SP2; 3283)
I've confirmed the bug in the above.
In MacOs 9.1, IE5 and IE4.5 do not expose the hidden about:
'feature'. Thus, they don't seem to be vulnerable.
As a U.S. Senator recently said (as quoted by Wired magazine) on the
whole security problem: "Use a Mac." ;-)
(please take this comment with a truckload of salt. I *am* j/k)
I can also confirm that IE 5.1 for Mac OS X isn't vulnerable. It just shows
the entire thing in the title of the about box, even if you type in
about:</title>. Not sure if this was the same outcome as IE5 and IE4.5, it
A Microsoft chap pointed out that sites can already break out of the
Restricted Sites Zone, simply by pointing at another site that is
not in that Zone.