IMPORTANT SECURITY WARNING ... PLEASE TAKE NOTE!

SUMMARY: RUNNING IE 4.0 HAS SECURITY FLAW
USERS: Win98, IE 4.0, America On-Line (AOL), Microsoft Network (MSN)


On one of my new Win98 machines we discovered that we can reboot the
computer via a *browser* and/or wipe the disk.  Apparently, the HTML
calls Javascript which invokes a Java applet which then can run any
program on the local computer.  We tried this in Netscape Communicator
4.5, which balked.  We were unable to recreate the problem in Netscape.
We added the ActiveX plug-in by NCompass to Netscape, but still were
unable to recreate the problem in Netscape.

We thought this problem might only exist if the files were local.  Not
true.  We were able to recreate the security problem by loading the
files off of a web server over the internet.  This applet was "signed"
by Verisign, yet we were able to defeat security and have complete
access to the user's workstation.

IMPORTANT: This means that *any* command can be silently run from your
computer, including: formatting your disk drive, rebooting your
computer, silent upload/download of *any* of your files.  We also
verified that commands can be run with parameters: an important feature
because it doesn't require the user to download viruses onto the
computer -- the viruses (normal windows commands) are already there.

This appears to be a significant security hole, which is the default
settings for Win98 installations.  Your privacy may be silently
compromised just by surfing the net with IE 4.0.  It appears that the
main flaw is the ability to use ActiveX controls and/or commands
directly through the IE 4.0 browser.

One possible solution is to select the "highest level of security" in IE
4.0, by selecting View -> Internet Options, clicking on Security tab,
then selecting "high".

One can avoid this in Windows 95 by *not* running IE 4.0 -- using
another browser (e.g., Netscape) appears to be safe.  However, Windows
98 claims that the browser is built into the operating system, and it's
not clear how these "explicit browser" parameters affect the "implicit"
use of the brower built into the system.

There is probably more information to be discovered, but we felt it was
important to get this warning out as soon as possible.

If you are a legitimate security professional, we can point you to some
URLs and other information of interest that can demonstrate the problem.

Again, sorry if you've already received this security information.

-FF
-----------------------------------------------------------------------
Frank Farance, Farance Inc.     T: +1 212 486 4700   F: +1 212 759 1605
mailto:[log in to unmask]        http://www.farance.com
Standards, products, services for the Global Information Infrastructure


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%