OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Christian Piper (Christiandesigndesires.co.uk)
Date: Tue Apr 09 2002 - 16:19:14 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Just to confirm I replyed to Mike about this here is what I sent him.

    -------------------------------------------------------------------
    Sorry my mistake, I should have posted some relvant links, I also think its
    a high security risk.

    http://www.informationweek.com/story/IWK20010927S0021

    Heres a snippit from the site mentioned ...

    "
    AOL/Netscape Undermines Your Browser Security Settings
    AOL/Netscape's abuse of browser security settings first came to my attention
    when reader Michael G. Baker, Jr. sent this alarming E-mail:

      "When a user downloads or updates AIM, free.aol.com is added to the users'
    IE Trusted Sites Zone. This also happens if you download Netscape6.x with
    integrated AIM. It is one thing for them to put that free.aol.com link
    everywhere when you download N6, even in IE's bookmarks, but quite another
    thing to mess with security settings. Although mostly harmless, it is the
    principle. I don't think this is right. If this was Microsoft messing with a
    Netscape security setting, all hell would break loose."
    It's true. Without so much as a by-your-leave, AOL software inserts
    "free.aol.com" into your IE browser's "Trusted Zone." Talk about an
    aggressive installation routine!

    The IE Trusted Zone's security permissions are intentionally relaxed.
    Scripts and ActiveX components can run (some with no prompting); downloads
    are enabled; Java safety is low; cross-domain data-sourcing is allowed;
    there's no alert when a site's security certificate is missing or revoked;
    and so on. Normally, that's OK, because the only sites in the Trusted Zone
    are those you put there yourself, after you decide that a site is entirely
    above-board. (Even so, many security-conscious users put no sites in the
    Trusted Zone, leaving nothing to chance or goodwill, and instead enforcing
    at least the "Internet Zone" restrictions on all Web sites.)

    By automatically placing its own site in the Trusted Zone, AOL creates a
    double security threat. If you (or your users) download and install Netscape

    6.x, AIM, or any product with integrated AIM, not only do you have to cope
    with the inherent problems of an IM client itself, but you'll also have AOL
    set up as trusted site. That can bypass the browser security settings you've
    established for normal Internet connections.

    To me, this is clearly a very wrong thing to do. No site, from any vendor,
    should set itself up to bypass your normal browser security settings.
    (Microsoft's browser should not allow such changes to be made covertly--but
    IE's problems are a whole other issue.) Free.aol.com may be relatively
    harmless, but there's nothing to prevent a malicious site from trying to set
    itself up as either a trusted site on its own, or as a spoofed, malicious
    version of free.aol.com."

    Hope this helps.
    Christian Piper

    -------------------------------------------------------------

    Thank You
    Christian Piper

    ----- Original Message -----
    From: "Ralph Los" <RLosenteredge.com>
    To: <mikedrootdown.net>; <incidentssecurityfocus.com>
    Sent: Tuesday, April 09, 2002 5:33 PM
    Subject: RE: AIM Backdoor?

    > Yessir, I just double-checked my newly installed WinXP Pro machine, and
    low
    > and behold - there's free.aol.com. I quickly removed it, duh, thanks for
    > the heads-up! I wonder how many of us will do this in the next 10 mintes?
    >
    > Happy Tuesday all,
    >
    > ----------------------------------------|
    > Ralph M. Los
    > Sr. Security Engineer and Trainer
    > EnterEdge Technology, L.L.C.
    > rlosenteredge.com
    > (770) 955-9899 x.206
    > ----------------------------------------|
    >
    > ::-----Original Message-----
    > ::From: mikedrootdown.net [mailto:mikedrootdown.net]
    > ::Sent: Monday, April 08, 2002 10:19 PM
    > ::To: incidentssecurityfocus.com
    > ::Subject: AIM Backdoor?
    > ::
    > ::
    > ::
    > ::Repost attempt, dunno why it didnt go through the first time.
    > ::
    > ::
    > ::
    > ::I have had AIM installed here at work for a while. While
    > ::trying to repair the security zone settings on a users PC by
    > ::comparing them to my own, I noticed that free.aol.com had
    > ::been added to Internet Explorers "Trusted Sites" zone.
    > ::
    > ::If a simple minded user clicks one of the many "Free AOL and
    > ::Unlimited Internet" icons on their system, or one of the
    > ::5,800 links to this domain that google turns up, AOL can run
    > ::the code of their choice without prompting.
    > ::
    > ::Anyone care to verify my findings or find a CSS vulnerability
    > ::on free.aol.com? Does an employee of AOL care to comment?
    > ::
    > :: -Mike
    > ::
    > ::
    > ::--------------------------------------------------------------
    > ::--------------
    > ::This list is provided by the SecurityFocus ARIS analyzer
    > ::service. For more information on this free incident handling,
    > ::management
    > ::and tracking system please see: http://aris.securityfocus.com
    > ::
    > ::
    >
    >
    > --------------------------------------------------------------------------

    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    >
    

    ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com