Microsoft issues fix for IE frame hole
The software giant posts a patch for the "Frame Spoof" security hole in IE, which lets Web site authors display fraudulent frames from within a third-party's site.
The software giant has posted a patch for the "Frame Spoof" security vulnerability in its Internet Explorer browser. The security hole lets a malicious Web site author display a fraudulent frame--a type of window-within-a-window used on many Web sites--from within a third party's Web page. Such an exploit could be used to disseminate false information framed within a trusted site, or to fool users into handing over confidential information.
Microsoft reported no actual instances of such an exploit taking place. In a hypothetical case, a user first would have to visit a site that was designed to insert a spoofed frame into the user's browser window at a subsequent destination. The spoof affects the client only, so only the individual user would see the fraudulent frame.
Microsoft issued a security bulletin on the problem last week, along with patches for IE versions 3.x and 4.x for the Windows, Macintosh, and Unix platforms.
The patch makes frames "write-protected," or "read-only," across domains. However within the same domain, such as within a corporate intranet, frames will remain unprotected.
"Microsoft highly recommends that all affected customers download the updated patch to protect their computers," read the security bulletin.
The patch includes updates for other recent IE security patches--one for the "Untrusted Scripted Paste" problem and another for the "Cross Frame Navigate" problem, more commonly known as the "Cuartango" holes after their discoverer, Juan Carlos Garcia Cuartango of Spain. Both the vulnerabilities let malicious Web site operators view specified files on visitors' hard drives.
Those two patch updates are the result of newly discovered variants of the file-snooping vulnerabilities. Though technically unrelated to the frame issue, Microsoft lumped together the fixes because they affect the same set of files.
Microsoft credited Richard Reiner of SecureXpert Labs with discovering the framing security hole and reiterated credit to Cuartango for his work on the file-reading holes.
CNET News.com's Stephen Shankland contributed to this report.