Security vulnerabilities persist after IE 6 patch

Only three days after the official release of the first patch for Microsoft Corp.'s Internet Explorer Version 6 Web browser, security experts are raising concerns about security vulnerabilties that were not addressed by the company.

The patch release, known as "Service Pack 1" was posted Monday on Microsoft's Web site and contains fixes for more than 300 issues with Internet Explorer 6, which was first released with the Windows XP operating system in October of 2001. Despite the fixes, however, security experts warn that significant vulnerabilties remain even after applying the patch.

"Security-wise, I would say it's pretty bad right now," says Thor Larholm, a security researcher for Pivx Solutions LLC, a Newport Beach, California, security consulting company.

"You can do anything to anyone's Web page with Internet Explorer 6. It's wide open to anyone."

Top among Larholm and other security experts' concerns are vulnerabilties that make it possible for attackers to take advantage of holes in the web of restrictions and security rules that make up Microsoft's Dynamic HTML (Hypertext Markup Language) Object Model, which governs the interaction of windows, dialog boxes and Web page frames.

An advisory issued recently by the Israeli security company GreyMagic Software warns about the potential dangers, when using Internet Explorer, including Version 6 Service Pack 1, of what is referred to as "cross-frame scripting."

Intended to make it easy to pass information back and forth to different parts of a Web page, cross-frame scripting also makes it possible for attackers, once their Web page is loaded by the Internet Explorer, to use JavaScript to change the URL (uniform resource locator) displayed in one Web page sub-frame, referred to as a "child" to match that of the main Web page or "parent," thus circumventing a host of security rules that prohibit the free interaction between frames displaying different Internet domains. Once in control of the parent frame, the URL of that frame can be replaced with a new script that allows an attacker to read information from cookies and other files containing a user's personal information.

And, experts say, because of the tight integration between Microsoft's Internet Explorer browser and its other Office products, such as the popular e-mail program Outlook, there is no shortage of ways to trick unsuspecting users into visiting a Web page that a hacker controls.

"This can be done in many ways," said Lee Dagon, a researcher at GreyMagic.

"For example, some versions of Outlook Express and Outlook render e-mails sent in HTML format ... this means that scripts can execute and therefore the vulnerability becomes exploitable by e-mail," Dagon said.

While not all of the vulnerabilties Larholm identified are severe, the Denmark-based researcher said that the sheer number of different security holes make it easy for attackers to move freely once they have gained access to a machine using Internet Explorer and running Windows.

"They all add up," Larholm said in reference to the security holes. "Some are mild, some are severe, but when you combine them, they can be devastating."

An example of the cumulative effect of such holes can be found in an advisory posted on, a security Web site. Taking advantage of three separate Internet Explorer vulnerabilties, one reported more than a year ago, those who run the Web site were able to demonstrate how a program could be silently placed and run on a remote computer with no user interaction other than visiting an attacker's Web page and having the Internet Explorer and Windows Media Player -- both standard Microsoft Windows applications -- installed.

Such vulnerabilties are particularly dangerous when coupled with an unsuspecting user, Dagon said.

"Users are generally trusting their browser to keep them safe and most of them don't even realize that a simple Web page may be able to access their private documents," Dagon said.

When asked for comment on the issues raised by Larholm and other security experts, a spokesman for Microsoft said that the company firmly believes it acts in the best interest of customers, and that Microsoft's security experts often reach different conclusions about the technical feasibility of the possible attacks identified by third-party security experts.

Despite the vulnerabilties he found, Larholm still recommends that Internet Explorer users upgrade to Service Pack 1.

"If you're going to use Internet Explorer, I would recommend upgrading to Service Pack 1," Larholm said. "The vulnerabilties that exist in (Internet Explorer version 6.0) Service Pack 1 exist in the 5.0, 5.5 and 6.0 browsers too, and the improvements in Service Pack 1 are adequate to justify upgrading."

In addition, the lack of attention to vulnerabilties in other browser platforms doesn't mean that those are more secure, Larholm said. "Even though Internet Explorer is very high profile on vulnerabilties doesn't mean that those vulnerabilties don't exist in other browsers as well."

Indeed, other browsers may be just as susceptible as Internet Explorer, but are much less commonly used.

"The Netscape, Opera, and Konqueror browsers, nobody writes exploits for those (browsers) because nobody really cares," Larholm said. "They'll have to have more than 1 percent or 2 percent of users before people start to notice."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?