View Full Version : Not a flaw...II

09-13-2002, 04:22 PM
We discovered that it is possible for an attacker to execute script on any page that contains <frame> or <iframe> elements, ignoring any protocol or domain restriction set forth by Internet Explorer. This means that an attacker can steal cookies from almost any site, access and change content in sites and in most cases also read local files and execute arbitrary programs on the client's machine (script in the "My Computer" zone).
GreyMagic Security


Pretty easy fix for this one....disable "Navigate sub-frames across different domains" in Internet Options. And/or disable (or prompt) Active Scripting....

Paul Komski
09-13-2002, 07:20 PM
I have just about every security function in IE set to disable or prompt. IMHO its the only way to "surf" with any degree of freedom with IE.

For sites that one does trust (and that need these features); just add them to the trusted sites zone.

09-13-2002, 10:07 PM
...or use a more secure browser :)