Bugs and Fixes: Fix Your Browser and Shop Safely

Suppose you're shopping online, and you click a link that opens another window at the same Web site--to check out shipping charges, say. Internet Explorer lets those two windows interact, because the browser grants them both the same security level. But if you open a window at another Web site or domain, IE is not supposed to allow that other window to share the same security privileges as the windows from the first site. So if you go from a merchant's site to a product-review page, for instance, the second site should not be able to let a malefactor access the credit card information you gave to the first site.

Unfortunately, you're not as safe as you may have thought. Microsoft recently discovered that IE's security model in this kind of scenario doesn't completely protect you: A clever attacker could lure you from a legitimate site to a malicious secondary site, or trick you into clicking a link included in an HTML e-mail message. And once you've been tricked into clicking a contaminated secondary window (or a link in an e-mail message), the bad guy could access your data or run programs that could damage your system. Note, however, that you can't get hurt unless you click. And reputable sites are not likely to have dangerous links embedded in their pages.

Microsoft identified two holes relating to IE's "cross domain security model," and it released a cumulative patch to take care of both flaws. The company, which rates the holes as "critical," provides patches for IE versions 6.0, 5.5, and 5.01 (you must install Service Pack 3 before you download these patches). Browse to Microsoft's security update for a link to the fixes. In the event of an e-mail attack, your PC is safe if you use Outlook Express 6.0 or Outlook 2002 (set to their "default" modes), or if you've installed the Outlook E-Mail Security Update .

But that's not the end of it. When you install the cumulative patch, a new problem pops up--and you'll need to download a separate fix to deal with it. (The problem emerged after Microsoft issued the cumulative patch.) Some IE 6 users may not be able to log on to certain Web sites that require authentication, such as subscription-based services. In fact, some people may not even be able to access their MSN e-mail accounts. Microsoft has released a fix for this problem.