Skip to page content or Skip to Accesskey List.

Work

Main Page Content

Cookie Security Hole Again Not Who You D Expect

Posted on 29 Jan 2002

in News

by Jeff Howden (Jeff Howden)

Rated 3.19 (Ratings: 13)

Want more?

  • More articles in News
 
Picture of Jeff Howden

Jeff Howden

Member info

User since: 14 Dec 1998

Articles written: 21

With all the buzz around these days by the anti-Microsoft crowd about how insecure Microsoft's Internet Explorer is, it's quite ironic to see a security notice come out about a cookie problem existing in the anti-Microsoft crowds' browser of choice — Mozilla. What's even more ironic is that the security hole was reported to Netscape in the middle of November 2001. There wasn't a fix available until the release of Mozilla 0.9.7, approximately 1½ months after it was reported. And there's no mention of this fix in the release notes, though it was reported as fixed to Mark Slemko who discovered the exploit. A very similar security hole was reported to Microsoft within approximately one week's time and a patch was available within 4 days. There was plenty of noise about how Microsoft wasn't quick enough to address the issue. How come we don't hear the same amount of noise (or, more appropriately, more noise) about Netscape dropping the ball on this issue for so long?

There's a more in-depth news article available at TheRegister.com. If you'd rather skip the news story and get right to the technical details about how the exploit works, go read about the exploit discovered by Mark Slemko.

.jeff

Jeff Howden (.jeff) is a web developer working for Vos & Howden, LLC in Portland, Oregon where he's partnered with long-time colleague, Anthony Vos. His skills include ColdFusion, JavaScript, CSS, XML, relational databases, and much, much more. His biggest professional accomplishments include, but are not limited to:

  • building a ColdFusion-based e-commerce solution for Mt. Bachelor that transacted over $1.62 million dollars in September 2001 with 0 (yes, that's zero) ColdFusion errors and then an almost completely rebuilt version transacted $2.86 million dollars in September 2002.
  • being asked to be a Technical Editor for the ColdFusion MX book, Inside ColdFusion MX from New Rider's Publishing company.
  • being asked by BrainBench to perform quality control on their JavaScript 1.5 certification test after receiving the highest beta test score out of 200 testees.
  • managing the server that hosts evolt.org and withstanding a slashdotting that brought over 1,000,000 hits to the site, over 10 gigs of data transfer, and an average in excess of 2300 unique visitor sessions per hour, all within a 24-hour period and the server never hiccuping once.

The access keys for this page are: ALT (Control on a Mac) plus:

evolt.org Evolt.org is an all-volunteer resource for web developers made up of a discussion list, a browser archive, and member-submitted articles. This article is the property of its author, please do not redistribute or use elsewhere without checking with the author.