More on the IE Cookie Problem:
From ZDNET:
zdnet.com
- - - - - - - - -
The problem is a lot of people when it comes to passwords are lazy. They use the same password or slight variations of the original password as remembering them is not easy. I would bet that most people here, if they have password access to say 20 sites, tech support, trading, chat, whatever, most of your passwords will be the same.
- - - - - - - - -
That's what this exploit is a bad one:
peacefire.org
Implications:
By intercepting a cookie set by HotMail, Yahoo Mail or any other free Web-based email sites that use cookies for authentication, the operator of a hostile Web site could break into a visitor's HotMail account and read the contents of their Inbox. (HotMail cookies do not contain user passwords, but they do allow a third party to access a user's HotMail account for as long as that user stays logged in, since each separate login generates a new cookie.)
A user's Amazon.com cookie could be used to visit Amazon.com impersonating that user, and access their real name, email address, and the user's list of "recommended titles" -- which can be used to determine what types of books or CD's the user has purchased from Amazon in the past. (You cannot, however, access the user's credit card number or their actual list of previous Amazon.com orders, since accessing this information requires a password that is not contained in the cookie.)
A user's MP3.com cookie stores their email address.
A user's NYTimes.com cookie stores their NYTimes.com password. This isn't useful by itself, since the password is only needed to browse articles on NYTimes.com, but exposing this password is still dangerous since users might have the same password set up for several different sites.
A user's Hollywood.com cookie stores their city, state, and zip code.
A user's Playboy.com cookie stores the fact that the user has visited Playboy.com -- which not every Playboy visitor would want the whole world to know. (Yeah, we know, you just wanted to read the Jesse Ventura interview.)
- - - - - -
According to the ZDNET article, MS says a fix is on the way. Interesting that it takes so long. In a setting like users of OpenBSD, FreeBSD, a fix would be out in a day or two. Sometimes faster. The thing is OpenBSD has not had one exploit in almost 3 years. MS has them on a weekly basis it seems.
Users of IE may want to switch to Netscape. It is a superior browser.
For a very secure alternate OS, see:
openbsd.org |
