Microsoft issues patch for hole in IE

Microsoft Corp. now has a patch available for the security hole in Internet Explorer Versions 5.5 and 6 that can expose cookie data to malicious hackers.

The vulnerability was first publicized last week by Online Solutions Ltd., a Finnish security firm that alerted Microsoft to the vulnerability Nov. 1 but released the existence and details of the exploit before Microsoft issued a patch.

Microsoft then posted an advisory and recommended that users disable Active Scripts in IE to prevent their cookie data from being stolen. However, disabling active scripts also renders some Web sites unusable.

The vulnerability lies in the ability of a malicious hacker to write an intentionally malformed URL in a Web page address. The action allows a hacker to see the cookies deposited by other Web sites on the user's hard drive. While proper security practice wouldn't allow sensitive information to be stored in those cookies, some Web sites do place credit card and other personal information in the cookies.

A malformed Web address link in an HTML e-mail would also expose cookie data.

The patch shuts the ability of one Web site to grab information left by another Web site. The patch also addresses three previously undisclosed problems, according to the revised bulletin.

"The first two involve how IE handles cookies across domains," the bulletin states. "Although the underlying flaws are completely unrelated, the scope is exactly the same -- in each case, a malicious user could potentially craft a URL that would allow them to gain unauthorized access to a user's cookies and potentially modify the values contained in them."

The bulletin goes on to say that "the third vulnerability is a new variant of a vulnerability discussed in Microsoft Security Bulletin MS01-051 affecting how IE handles URLs that include dotless IP addresses. ... [IE] would treat the site as an intranet site, and open pages on the site in the Intranet Zone rather than the correct zone. This would allow the site to run with fewer security restrictions than appropriate. This vulnerability does not affect IE 6."

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jennifer DiSabatino

Computerworld
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?