IE6 Fix Is Incomplete, Security Experts Say

Only three days after Microsoft released the first service pack for Internet Explorer 6, security experts are raising concerns about vulnerabilities that are not addressed in the update.

Service Pack 1 was posted Monday on Microsoft's Web site and contains fixes for more than 300 issues with Internet Explorer 6, which first shipped with Windows XP last October. Microsoft also released SP1 for Windows XP on Monday. That service pack apparently fixes a major flaw involving the IE browser. The IE6 service pack, however, applies to versions of IE6 running under Windows Me, 2000, 98, and NT 4--as well as Windows XP.

Despite the fixes, however, security experts warn that significant vulnerabilities remain even after applying the patch.

"Security-wise, I would say it's pretty bad right now," says Thor Larholm, a researcher for security consulting company Pivx Solutions. "You can do anything to anyone's Web page with Internet Explorer 6. It's wide open to anyone."

When asked for comment on the issues raised by Larholm and other security experts, a Microsoft representative said the company firmly believes it acts in the best interest of customers, and that Microsoft's security experts often reach different conclusions about the technical feasibility of the possible attacks identified by third-party security experts.

The Service Pack is available on the Windows Update section of Microsoft's site.

Peeking at Cookies

Top among Larholm and other security experts' concerns are vulnerabilities that make it possible for attackers to take advantage of holes in the web of restrictions and security rules that make up Microsoft's Dynamic HTML Object Model, which governs the interaction of windows, dialog boxes, and Web page frames.

An advisory issued recently by the Israeli security company GreyMagic Software warns about the potential dangers of what is called "cross-frame scripting."

Cross-frame scripting is intended to make it easy to pass information back and forth to different parts of a Web page. But the function also makes it possible for attackers, once IE loads their Web page, to use JavaScript to change the URL displayed in one Web page subframe (or "child") to match that of the main Web page ("parent"), circumventing security rules that prohibit free interaction among frames displaying different domains. Once in control of the parent frame, the attackers could replace that frame's URL with a new script that lets them read information from cookies and other files containing a user's personal information.

Because of the tight integration between IE and other Microsoft applications, notably Outlook, there is no shortage of ways to trick unsuspecting users into visiting a Web page that a hacker controls.

"For example, some versions of Outlook Express and Outlook render e-mails sent in HTML format.... This means that scripts can execute, and therefore the vulnerability becomes exploitable by e-mail," says Lee Dagon, a researcher at GreyMagic.

While not all of the vulnerabilities Larholm identified are severe, the Denmark-based researcher says the sheer number of different security holes make it easy for attackers to move freely once they gain access to a PC running IE under Windows. "Some [holes] are mild, some are severe, but when you combine them, they can be devastating," he adds.

Some Improvement

An example of the cumulative effect of such holes can be found in an advisory posted on Malware.com, a security Web site. Taking advantage of three separate IE vulnerabilities, including one more than a year old, the site managers demonstrated how they could place and run a program on a remote PC. No user interaction was needed other than visiting the attacker's site and having both IE and Windows Media Player--both bundled with Windows--installed.

Such vulnerabilities are particularly dangerous when coupled with an unsuspecting user, Dagon says.

"Users are generally trusting their browser to keep them safe, and most of them don't even realize that a simple Web page may be able to access their private documents," Dagon says.

Despite the vulnerabilities he found, Larholm still recommends that Internet Explorer users upgrade to Service Pack 1.

"If you're going to use Internet Explorer, I would recommend upgrading to Service Pack 1," Larholm says. "The vulnerabilities that exist in [IE6] Service Pack 1 exist in the 5.0, 5.5, and 6.0 browsers too, and the improvements in Service Pack 1 are adequate to justify upgrading."

In addition, the lack of attention to vulnerabilities in other browser platforms doesn't mean that those are more secure, Larholm says. "Even though Internet Explorer is very high profile on vulnerabilities doesn't mean that those vulnerabilities don't exist in other browsers as well."

Indeed, other browsers may be just as susceptible as Internet Explorer but are much less commonly used.

"The Netscape, Opera, and Konqueror browsers, nobody writes exploits for those because nobody really cares," Larholm says. "They'll have to have more than 1 percent or 2 percent of users before people start to notice."