Reported earlier this month, the first bug fixed in both IE 4 and 5 could reveal local files and permit window spoofing. The bug lets a malicious Web site operator add a brief suffix to a URL in order to misrepresent its origin. In this way, an exploit can bypass IE's security zones, as IE treats the Web site as though it were part of the client's local domain, such as within a corporate intranet.
One consequence of the bug is that a malicious Web site operator could read local files and send them to another server if he or she knows the name of a file on the visitor's machine. A second consequence is that the Web operator can spoof a window of a trusted site, potentially tricking visitors into giving up sensitive information such as usernames, passwords, or credit card information.
Microsoft has had to reckon with this type of bug several times in the past.
The second bug Microsoft has patched has to do with a vulnerability, reported last month, that makes users' clipboards susceptible to inspection by Web operators. The vulnerability, which affects IE 5 only, lets a Web site operator paste a Web page control into a visitor's clipboard.
The clipboard holds text that users have most recently copied or cut. The clipboard stores only one clip at a time, so a new clip automatically erases the previous one.
A third fix repairs a comparatively minor privacy bug in IE 4 and 5 that would let a Web site operator glean information about the size of a known file and what kind of application is needed to open it. The vulnerability exists because IE lets Web authors use an image source tag (IMG SRC) to refer to files that are not, in fact, images. The fix scans files indicated by these tags to make sure they are, indeed, images.
The patch, implemented in the IE 5 parsing engine, is available from the Microsoft Web site.
Microsoft also said it was working on another minor privacy hole in IE 5. One of IE 5's new features lets a Web site offer an icon that users can attach to the site's listing if they choose it as a "favorite." In an apparently inconsequential privacy violation, the site can see whether or not a user at a particular IP address downloads the icon. Microsoft is looking into ways to prevent sites from doing so.