IE security hole leads to cookie jar
A vulnerability in Internet Explorer 6.0, 5.5 and possibly earlier versions opens access to Web accounts that hold everything from credit card numbers to passwords.
The vulnerability exists within IE 5.5 and 6.0, but earlier browser editions "may or may not be affected," according to a security bulletin posted to Microsoft's Web site Thursday. The security flaw allows an outsider to break into cookies--tiny electronic files used by Web sites to file account information or personalize pages--through a specially crafted Web page or e-mail. A person could then steal or alter data from Web accounts, including credit card numbers, usernames and passwords.
"A malicious Web site with a malformed URL could read the contents of a user's cookie, which might contain personal information," according to the Redmond, Wash.-based company. "In addition, it is possible to alter the contents of the cookie. This URL could be hosted on a Web page or contained in an HTML e-mail."
The vulnerability comes only a week after security flaws were found in Microsoft's Passport authentication system, causing the software maker to remove part of the service from the Internet. The privacy breach in the Passport service, which keeps track of data used by e-commerce sites, potentially exposed the financial data of thousands of consumers, undermining the company's recent efforts to convince people that it is serious about security.
The security problem could also undermine Microsoft's recent efforts to promote privacy. The company has touted its recent release of IE 6 as the safest and most data sensitive browser to date. With IE 6, Microsoft adopted a privacy standard called P3P, which allows consumers to set their browser preferences to reject Web sites with inadequate privacy policies.
But because of the IE security flaw, personal data transferred to Web sites with the highest privacy standards may still be vulnerable.
Microsoft said the flaw doesn't affect P3P directly, however.
"Once we have a patch out, then the P3P features will be functioning as they've been designed," said Christopher Budd, security program manager for Microsoft's security response center.
Privacy and security expert Richard Smith verified the IE security flaw by writing a tiny bit of JavaScript to hijack information contained in a cookie.
Technically, the flaw exists in the way IE handles cookies across Web sites. To illustrate, the browser should only allow Web site A to access a someone's cookie for Web site A, and so on. But through the vulnerability, an outside Web site or e-mail could tap information contained in a cookie for Web site A.
"I couldn't believe how easy it is," Smith said. "The danger here is that once you get somebody's cookie information for a particular Web site, you can get access to that account, whether it's private financial information or travel records."
Microsoft, which labeled the security problem "high" risk, said it is working on a patch.
"This is clearly a high priority, and we've been working around the clock on this. Unfortunately we have a workaround rather than a patch," said Budd.
Until the patch is ready, Microsoft is urging IE users to disable active scripting in the their browser settings. In addition, consumers using Outlook Express should set their preferences within the mail program to allow only "Restricted Sites" to load, according to the company.
To disable active scripting in IE, open the Tools menu in the browser, followed by Internet Options and then the tab for Security. Next, open the Custom Level option; in the Settings box, scroll down to the Scripting section. Click Disable under "Active scripting" and "Scripting of Java applets." Click OK, and then click OK again.
The flaw was first reported on security mailing list Bugtraq.