Cameras
Camcorders
Cell Phones
Components
Desktops
HDTV
Home Theater
GPS
Laptops
Monitors
MP3 Players
Networking &
Printers
Storage
WiFi Finder
Locate wireless services by a specific address, city, state, country, airport, or zip code.
IE Hole Reveals Users' Cookie Data
Microsoft is working on patch, but for now malicious sites could siphon information from IE 5.5 and 6.0.
Jennifer DiSabatino, Computerworld online
A newly reported vulnerability in Microsoft's Internet Explorer allows hackers to steal or corrupt cookie information on a user's desktop through a malformed URL at a Web site or in an HTML e-mail.
The vulnerability means a user's personal information, such as a credit card number or home address, could be stolen by a malicious site, if other sites have stored that data on the user's hard drive. The flaw involved Microsoft's IE browser 5.5 and 6.0. A cookie is a file written by a Web server to your hard drive that identifies you to the site.
Microsoft rates the hole as a high security risk, but hasn't yet come out with a patch. For now, the software manufacturer urges users to do a workaround by disabling active scripts. A full explanation and instructions for the work-around are on Microsoft's TechNet site .
Microsoft spokesperson Christopher Budd said the company faces a challenge in making consumers aware of the problem. "We are working with the press. We view the press as instrumental as getting out to the consumer base. As far as getting the word out, we are going high and low ... because clearly we have an interest in getting the word out."
He said Microsoft is taking measures such as creating easy downloads at consumer-oriented security sites to get patches.
"They don't have to worry or dig into the technical [side]. We put a lot of effort into our bulletins. We've taken great pains to describe this in as plain English as possible. There's not going to be a single easy answer to this."
Raising Questions
The vulnerability raises more questions over Microsoft's ability to securely manage personal data through its .Net and Passport services.
"I don't have faith in Passport anyway. It's like Swiss cheese. It's just another hole in the Swiss cheese called Passport," said Michele Rubenstein, a security expert in Washington and president of the EMA, a user forum within The Open Group, a IT user advocacy group.
To be fair, however, Rubenstein said Web sites that don't store data securely or that store sensitive information on cookies, also must share the blame. "A well-designed Web page should not store vital or critical information in a cookie stored on a hard disk," she said.
The magnitude of the hole also presents a daunting task for Microsoft in alerting consumers who may not pay attention to security bulletins and don't know how to apply workarounds.
"People like my mom, who are on the Internet, aren't aware of these things," Rubenstein said. "How is she going to learn about that," she asked, unless someone is checking on security issues for her. In the statement posted yesterday, Microsoft said, "A malicious Web site with a malformed URL could read the contents of a user's cookie which might contain personal information.
In addition, it is possible to alter the contents of the cookie. This URL could be hosted on a Web page or contained in an HTML e-mail ... The vulnerability results because of an unsafe handling of cookies across [Internet Explorer] zones."
That is, instead of restricting a Web site to access only those cookies it stored on the user's hard drive, IE allows Web sites to grab cookies from other sites.
A Week's Notice
Microsoft was notified of the vulnerability November 1 by a Finnish security firm, Online Solution, another Microsoft spokesperson said. At first, the firm agreed to work with Microsoft, he said, but then decided it would be a good marketing opportunity to publicize the vulnerability.
Microsoft said on its advisory that the person who discovered this vulnerability has chosen to handle it irresponsibly and has deliberately made this issue public only a few days after reporting it to Microsoft.
Microsoft released the statement it received from Online Solution's CEO: "[F]inding and reporting of this kind of vulnerability is a great marketing opportunity for us ... we are willing to postpone the publication if we can find any way to work together so that our company would otherwise benefit from this. Otherwise we don't see any reason to not report this bug and use it for our marking purposes."
For more enterprise computing news, visit Computerworld. Story copyright © 2007 Computerworld Inc. All rights reserved.
Perfect Print Solutions
Microsoft Office Home and Student 2007
- Great year-end deals
for small business! -
Get 24/7 live remote AT&T Tech Support 360* service along with select Lenovo* PCs (with Intel® Core™ 2 Duo processors) and save up to 200!
-
HP EliteBook* 6930p Notebook with Intel® vPro™ technology and a free HP Basic Docking Station - $641 instant savings!
- *Other names and brands may be claimed as the property of others. ©2009 Intel Corporation. Intel, the Intel logo, vPro and Core trademarks of Intel Corporation in the United States and other countries. All rights reserved.
Dell Laptop Deals
-
Save Hundreds on Dell's Most Popular Laptop Models Inspiron, Studio and Studio XPS Models all at Steep Discounts!
People who read this also read:
Best Prices on System Utilities
Norton Partition Magic 8.0 Rev1RetailPrice: $42.00
Parallels Desktop 4.0 for Mac (Full Product)Price: $57.99
2009 ProfessionalPrice: $29.00
Prosoft Drive Genius 2Price: $49.88
Registry Mechanic 8Price: $22.50
Fusion 3Price: $69.94
- 15 Minutes to a Secure Business Get the Secure in 15 toolkit starting with the "15 Minutes Month-at-a-Glance" calendar. McAfee will send you additional tools and tricks to stay protected around the clock.
- A Buyer's Guide to Data Protection Implementing data protection products and processes can be daunting. Make the right decisions by exploring what is available and what makes sense for your organization. Use this simple guide to evaluate different vendor offerings.
