X

Microsoft offers patch for cookie hole

The software titan issues a patch almost a week after a vulnerability is revealed in Internet Explorer that allows hackers to gain access to someone's cookies.

CNET News staff
2 min read
By Wendy McAuliffe

Microsoft has issued a patch almost a week after a vulnerability was revealed in Internet Explorer that would allow hackers to gain access to someone's cookies and expose the sensitive information they contain.

The exploit was discovered last week and reported publicly rather than directly to Microsoft. At the time, the software giant advised customers to disable Active Scripting, to protect them from the Web-hosted and mail-borne variants of the vulnerability.

Microsoft says the patch released Wednesday represents a fast turnaround by its security team.

"The vulnerability was publicly disclosed by someone who discovered the vulnerability on Nov. 8, which was extremely irresponsible," said a Microsoft representative. "The immediate action that we took was to issue a work-around so that system administrators could protect themselves, and a patch was issued yesterday."

The high-risk vulnerability in IE 5.5 and 6.0 allows malicious code to gain unauthorized access to the cookies that are used to customize and retain a site's setting for a customer across multiple sessions. Because some e-commerce Web sites use cookies to store sensitive information about consumers, it is possible that personal information could be exposed through the software hole.

"It is a serious issue--people have always been worried about cookies, but have never considered that someone else could use the information from a Web site that they run," said Mark Read, security analyst at MIS Corporate Defence Solutions.

The vulnerability came shortly after security flaws were found in Microsoft's Passport authentication system, causing the software maker to remove part of the service from the Internet. The privacy breach in Wallet, a Passport service that keeps track of data used by e-commerce sites, potentially exposed the financial data of thousands of consumers, undermining the company's recent efforts to convince people that it is serious about security.

Read said he thinks it unlikely that the privacy policies of e-commerce sites will allow customer credit card details to be displayed as cookie information, but there is the potential for hackers to use the information to order goods online.

Cookies are text files, saved on a computer hard drive as a unique reference for identifying individual customers. "There is no easy way to get around cookies, as there needs to be some way of placing a unique identifier on a computer to say 'this is me'--the only alternative is digital certificates," said Read.

Staff writer Wendy McAuliffe reported from London.