today's pet peeve
Joseph S. Barrera III
Thu, 18 Apr 2002 08:57:35 -0700
Speaking of that back button...
The IE back-button attack
By Thomas C Greene in Washington
Posted: 17/04/2002 at 17:50 GMT
Swedish security researcher Andreas Sandblad has discovered that the MS
execute in the same zone as the last URL visited, which in the case of the
error page generated by IE is the local computer zone. Thus when an error
by use of the back button.
To illustrate it, Sandblad created a little script which works nicely. Just
choose the appropriate link, follow it, and then hit the back button. Big
The script should work on most IE browsers but has been tested only with
IE-6 on Win-2K and XP, according to Sandblad's recent posting to the BugTraq
mailing list, where you can get a copy and play with it.
We've confirmed it for IE-6 on Win-XP Pro, and several readers have reported
that IE-5 is also affected. We've also heard that McAfee and NAV will block
MS was notified on 12 November 2001, and reminded on 25 March 2002, Sandblad
says. Apparently they're not as worried as the major anti-virus vendors. (R)