Nick FitzGerald <nick@virus-l.demon.co.uk> wrote: > This was hinted at in Andrew Clover's message of 19 October Yes. I noted that "IE incorrectly applies HTTP-style URL parsing to 'about:' URLs", from which I really should have investigated further to find that in fact it doesn't recognise the difference between http: and about: at all in the case of cookie access security. My bad - having found what I considered enough of a hole to require patching, I didn't go further and find its full potential. > That's interesting, given they seemed to think there was no > problem (despite the flaw being obvious to the rest of the > world) back when Andrew mentioned it... Well, my exploit was less serious than this, but it was indicative of brokenness, and I would have expected the IE team to at least investigate. Instead, Microsoft seemed more interested in arguing Mitigating Factors. It would be easiest to simply remove the about-unknown-page-echoing-"feature", since it is of no legitimate use whatsoever (or at least enforce HTML-escaping on it). I do not expect the patch for Jouko's more serious exploit to do so, when it's released, but there's always hope. > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet > Settings\ZoneMap\ProtocolDefaults\about = 4 Indeed, I've been using this a while with no problems, recommend it. -- Andrew Clover Technical Consultant 1VALUE.com AG
