MCI Telecommunications=20

                        internetMCI Security Group


Report Title: iMCI MIIGS Security Alert=20
Report Name: MSIE 4.0 Security Hole
Report Number: iMCISE:IMCIMS:102097:01:P1R1
Report Date: 10/20/97
Report Format: Formal
Report Classification: MCI Informational =20
Report Reference: http://www.security.mci.net
Report Distribution: iMCI Security,=20
                     MCI Internal Internet Gateway Security (MIIGS),=20
                     MCI Emergency Alert LiSt (MEALS)
                     (names on file)

--------------------------------------------------------------------------=
=20


Microsoft is now providing a fix to protect users' computers=20
against a potential problem with Internet Explorer 4.0 known=20
as the Freiburg text-viewing issue, which could allow a=20
malicious Web site to obtain the contents from a text, HTML,=20
or a graphic image (no other file types) from a user's hard disk.=20
That information could not be damaged or manipulated on the user's=20
computer, but it could be viewed.=20

The issue could allow a malicious person to create a Web page=20
that is intentionally designed to exploit this problem to view=20
the contents of a text file, HTML file, or graphic image from a=20
user's hard disk. The Web page must be specifically designed to=20
obtain certain files=97to the level of knowing and including the=20
exact filename and location=97and that file must be an HTML, text,=20
or image file. Even if those conditions are met, the site cannot=20
destroy or tamper with any data. Again, data cannot be obtained=20
from any files other than text, image, or HTML.=20


The fix was posted on Friday at;

http://www.microsoft.com/ie/security/?/ie/security/freiburg.htm

and it has been confirmed to fix the problem according to Ralf.=20
The patch is just under 1MB and only available in U.S. English,=20
German, and Japanese versions (meaning some language versions=20
are not yet available). You can get the patch directly from;

Windows '95 - U.S. English
http://www.microsoft.com/msdownload/ieplatform/ie4patch/00000.htm

Windows NT 4.0 - U.S. English
http://www.microsoft.com/msdownload/ieplatform/ie4patch/01000.htm

References:

   1. http://www.jabadoo.de/index.html
   2. http://www.jabadoo.de/index.html
   3. http://www.heise.de/ct/
   4. http://www.jabadoo.de/press/ie4demo.html
   5. http://www.microsoft.com/ie/

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=20