Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Who else wants national broadband?
8 things you didn't know about Windows Phone 7
Microsoft touts speed, HTML 5 support in IE9
It's Official: Facebook Rules the Web
New Internet browser threat sneaks by traditional defenses
Novell's Mono project bringing .Net development to Android
HP, IBM, Dell launch servers with new Intel chips
Happy 25th Birthday 'Dot Com': A Look Back
Why is cloud computing hard? Top tech execs speak their minds
Free Microsoft Windows Phone 7 developer tools released
Microsoft: No native code for Windows Phone 7
60% of virtual servers less secure than physical machines, Gartner says
Digg, like Twitter, rips out MySQL
FCC's national broadband plan: What's in it?
FCC broadband test greeted by skepticism
/

Security hole in IE reveals data in cookies

Related linksToday's breaking news
Send to a friendFeedback

By Jennifer DiSabatino
Computerworld, 11/09/01

A newly reported vulnerability in Microsoft's Internet Explorer allows hackers to steal or corrupt cookie information on a user's desktop through a malformed URL at a Web site or in an HTML e-mail.

The vulnerability means a user's personal information, such as a credit card number or home address, could be stolen by a malicious site, if other sites have stored that data on the user's hard drive. The flaw involved Microsoft's IE browser 5.5 and 6.0

Microsoft rates the hole as a high security risk, but hasn't yet come out with a patch. For now, the software manufacturer urges users to do a work-around by disabling active scripts. A full explanation and instructions for the work-around are on Microsoft's TechNet site.

Microsoft spokesman Christopher Budd said the company faces a challenge in making consumers aware of the problem. "We are working with the press. We view the press as instrumental as getting out to the consumer base. As far as getting the word out, we are going high and low... because clearly we have an interest in getting the word out."

He said Microsoft is taking measures such as creating easy downloads at consumer-oriented security sites to get patches.

"They don't have to worry or dig into the technical [side]. We put a lot of effort into our bulletins. We've taken great pains to describe this in as plain English as possible. There's not going to be a single easy answer to this."

The vulnerability raises more questions over Microsoft's ability to securely manage personal data through its .Net and Passport services.

"I don't have faith in Passport anyway. It's like Swiss cheese. It's just another hole in the Swiss cheese called Passport," said Michele Rubenstein, a security expert in Washington and president of the EMA, a user forum within The Open Group, a IT user advocacy group.

To be fair, however, Rubenstein said Web sites that don't store data securely or that store sensitive information on cookies, also must share the blame. "A well-designed Web page should not store vital or critical information in a cookie stored on a hard disk," she said.

The magnitude of the hole also presents a daunting task for Microsoft in alerting consumers who may not pay attention to security bulletins and don't know how to apply work-arounds.

"People like my mom, who are on the Internet, aren't aware of these things," Rubenstein said. "How is she going to learn about that," she asked, unless someone is checking on security issues for her.

In the statement posted yesterday, Microsoft said, "A malicious Web site with a malformed URL could read the contents of a user's cookie which might contain personal information. In addition, it is possible to alter the contents of the cookie. This URL could be hosted on a Web page or contained in an HTML e-mail ... The vulnerability results because of an unsafe handling of cookies across [Internet Explorer] zones."

That is, instead of restricting a Web site to access only those cookies it stored on the user's hard drive, IE allows Web sites to grab cookies from other sites.

Microsoft was notified of the vulnerability Nov. 1 by a Finnish security firm, Online Solution, another Microsoft spokesman said. At first, the firm agreed to work with Microsoft, he said, but then decided it would be a good marketing opportunity to publicize the vulnerability.

Microsoft said on its advisory that the person who discovered this vulnerability has chosen to handle it irresponsibly and has deliberately made this issue public only a few days after reporting it to Microsoft.

Microsoft released this statement sent to the company from Online Solution's CEO: "[F]inding and reporting of this kind of vulnerability is a great marketing opportunity for us...we are willing to postpone the publication if we can find any way to work together so that our company would otherwise benefit from this. Otherwise we don't see any reason to not report this bug and use it for our marking purposes."

For more enterprise computing news, visit Computerworld online. Story copyright (c) 2001 Computerworld, Inc. All rights reserved.

Related Links

 
NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.