Security vulnerabilities persist after IE 6 patch

Only three days after the official release of the first patch for Microsoft Corp.'s Internet Explorer Version 6 Web browser, security experts are raising concerns about security vulnerabilties that were not addressed by the company.

The patch release, known as "Service Pack 1" was posted Monday on Microsoft's Web site and contains fixes for more than 300 issues with Internet Explorer 6, which was first released with the Windows XP operating system in October of 2001. Despite the fixes, however, security experts warn that significant vulnerabilties remain even after applying the patch.

"Security-wise, I would say it's pretty bad right now," says Thor Larholm, a security researcher for Pivx Solutions LLC, a Newport Beach, California, security consulting company.

"You can do anything to anyone's Web page with Internet Explorer 6. It's wide open to anyone."

Top among Larholm and other security experts' concerns are vulnerabilties that make it possible for attackers to take advantage of holes in the web of restrictions and security rules that make up Microsoft's Dynamic HTML (Hypertext Markup Language) Object Model, which governs the interaction of windows, dialog boxes and Web page frames.

An advisory issued recently by the Israeli security company GreyMagic Software warns about the potential dangers, when using Internet Explorer, including Version 6 Service Pack 1, of what is referred to as "cross-frame scripting."

Intended to make it easy to pass information back and forth to different parts of a Web page, cross-frame scripting also makes it possible for attackers, once their Web page is loaded by the Internet Explorer, to use JavaScript to change the URL (uniform resource locator) displayed in one Web page sub-frame, referred to as a "child" to match that of the main Web page or "parent," thus circumventing a host of security rules that prohibit the free interaction between frames displaying different Internet domains. Once in control of the parent frame, the URL of that frame can be replaced with a new script that allows an attacker to read information from cookies and other files containing a user's personal information.

And, experts say, because of the tight integration between Microsoft's Internet Explorer browser and its other Office products, such as the popular e-mail program Outlook, there is no shortage of ways to trick unsuspecting users into visiting a Web page that a hacker controls.

"This can be done in many ways," said Lee Dagon, a researcher at GreyMagic.

"For example, some versions of Outlook Express and Outlook render e-mails sent in HTML format ... this means that scripts can execute and therefore the vulnerability becomes exploitable by e-mail," Dagon said.

While not all of the vulnerabilties Larholm identified are severe, the Denmark-based researcher said that the sheer number of different security holes make it easy for attackers to move freely once they have gained access to a machine using Internet Explorer and running Windows.

"They all add up," Larholm said in reference to the security holes. "Some are mild, some are severe, but when you combine them, they can be devastating."

An example of the cumulative effect of such holes can be found in an advisory posted on Malware.com, a security Web site. Taking advantage of three separate Internet Explorer vulnerabilties, one reported more than a year ago, those who run the Web site were able to demonstrate how a program could be silently placed and run on a remote computer with no user interaction other than visiting an attacker's Web page and having the Internet Explorer and Windows Media Player -- both standard Microsoft Windows applications -- installed.

Such vulnerabilties are particularly dangerous when coupled with an unsuspecting user, Dagon said.

"Users are generally trusting their browser to keep them safe and most of them don't even realize that a simple Web page may be able to access their private documents," Dagon said.

When asked for comment on the issues raised by Larholm and other security experts, a spokesman for Microsoft said that the company firmly believes it acts in the best interest of customers, and that Microsoft's security experts often reach different conclusions about the technical feasibility of the possible attacks identified by third-party security experts.

Despite the vulnerabilties he found, Larholm still recommends that Internet Explorer users upgrade to Service Pack 1.

"If you're going to use Internet Explorer, I would recommend upgrading to Service Pack 1," Larholm said. "The vulnerabilties that exist in (Internet Explorer version 6.0) Service Pack 1 exist in the 5.0, 5.5 and 6.0 browsers too, and the improvements in Service Pack 1 are adequate to justify upgrading."

In addition, the lack of attention to vulnerabilties in other browser platforms doesn't mean that those are more secure, Larholm said. "Even though Internet Explorer is very high profile on vulnerabilties doesn't mean that those vulnerabilties don't exist in other browsers as well."

Indeed, other browsers may be just as susceptible as Internet Explorer, but are much less commonly used.

"The Netscape, Opera, and Konqueror browsers, nobody writes exploits for those (browsers) because nobody really cares," Larholm said. "They'll have to have more than 1 percent or 2 percent of users before people start to notice."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

Computerworld
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?