Users login

Create an account »


Users login

Home » Hacking News » A new vulnerability for IE and Outlook.

A new vulnerability for IE and Outlook.

by Majik on November 9th, 2001 Users of Microsoft's browser and e-mail programs could be vulnerable to having their browser cookies stolen or modified due to a new security bug in Internet Explorer (IE), the company warned today.

According to a bulletin issued today, a flaw in the latest versions of IE could enable a malicious Web site or e-mail message to read or alter the contents of a user's browser cookies, the small data files used by many Web sites to store information on a visitor's system.

Because cookies are sometimes used for storing sensitive information such as usernames and passwords or other user authentication data, Microsoft has categorized the flaw as a high risk.

Microsoft is advising users to disable IE's active scripting feature until it can complete development of a patch. The software firm's bulletin provides instructions on how users of Internet Explorer and Microsoft's Outlook and Outlook Express e-mail clients, which rely on IE to render HTML messages, can protect against the bug until the patch is available.

According to Jouko Pynnonen, a Finnish security researcher who discovered the flaw, IE can be forced to divulge its cookies when fed a specially crafted Internet address or URL that begins with the command "About:."

With the assistance of some JavaScript code, an attacker could construct a Web page or HTML-based e-mail that could access any cookie in the browser's memory or those stored on disk, said Pynnonen in an advisory published today on the Web and on security mailing lists.

"The JavaScript code might just pass the cookie contents to a script or a CGI program which could quietly store the information to a file and then redirect the browser elsewhere or show some seemingly harmless Web content," wrote Pynnonen, who said he discovered the flaw while testing a Web development tool that relies on cookies.

According to Microsoft, the flaw is present in Internet Explorer version 5.5 with service pack 2 and Internet Explorer version 6. The company said previous versions of the browser are no longer supported and may or may not be affected by the vulnerability.

Pynnonen said he notified Microsoft about the flaw November 1 and withheld publishing his advisory until the software firm had released its own bulletin. Microsoft's document criticized Pynnonen for handling his discovery of the bug "irresponsibly" and giving the company inadequate time to prepare a patch.

In May of 2000, IE was found to be vulnerable to a similar cookie-stealing exploit that relied on the use of special characters in the URL. Microsoft subsequently released a patch that corrected the flaw.

By design, browsers should only allow sites to access cookies they have placed on a user's machine and not those from other sites.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »