>-----Original Message----- >From: Nick FitzGerald [mailto:nick@virus-l.demon.co.uk] >Sent: Friday, November 09, 2001 3:51 PM >To: bugtraq@securityfocus.com >Cc: Jouko Pynnonen >Subject: Re: Microsoft IE cookies readable via about: URLS >A better workaround (assuming that you feel cookies are "relatively >useful" and would rather not turn them off) is to put about: URLs >into the Restricted Sites zone, as detailed in Andrew Clover's >followup to his own post: > http://www.securityfocus.com/archive/1/222552 >In short, create a DWORD value named "about" under: > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults >and set it to 4. >I just tested this against your test page and with the above value set, the test tells me "No cookies found for site...". >Interestingly, this registry change seems to have almost immediate effect -- i.e. it did not require a restart or >>>>>logout/login or even >an IE exit/restart (I did this on Win2K) but occasionally, when >running the test page over and over alternating back and forward >between having the above value set and not present (the default), the >page would work as if the registry value had not yet been changed. I have tried this workaround it works as described and without a reboot. However it breaks certain applications that use the "Internet Explorer Server Window" most notably Yahoo Instant messanger 5. I does not affect versions 3 or 4. My version of YAIM is 5,0,0,1036. The effect in short the "Internet Explorer Server Window" remains blank not showing the IM texts. This might be due to poor design om yahoos part, but I am posting it as it may effect other applications aswell and might not be a good workaround for all. Best Regards, Per Arne Johansson
