http://www.zdnet.com/pcweek/stories/news/0,4153,1013784,00.html
Microsoft Corp. is working on a patch for a patch.
By Jim Kerstetter, PC Week Online
January 29, 1999 3:25 PM ET
In September, the company issued a patch for a security vulnerability in
its Internet Explorer browser. The problem, dubbed the Cross Frame
Navigate Vulnerability, essentially lets a malicious site run a script
that takes control of a second window on a browser.
Through that second window, a hacker can peek at particular files on a
user's hard drive without the user's knowledge. Through the vulnerability,
a hacker could also display fake content on a trusted Web site and trick
users out of private information like credit card numbers.
Microsoft (MSFT) thought it had the problem licked, but a bug hunter in
Bulgaria named Georgi Guninski found a new way around the patch for the
original problem.
"It's not that there was a problem with the fix. It was fine for four
months," said Michael Nichols, product manager for Microsoft's Personal
and Business Systems Group. "But someone found a way to get around the
additional safeguards that we put in."
Microsoft officials in Redmond, Wash., said they are working on a patch
for the patch but don't know when it will be completed.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 17:16:07 1999