ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Online business Toolkit

IE 5.5 exploit evades security feature

Will Knight ZDNet.co.uk

Published: 07 Sep 2000 15:26 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

The latest in a long line of bugs to hit Microsoft's Internet Explorer will allow unauthorised access to files on a victim's computer, according to respected Bulgarian bug-hunter, Georgi Guninski.

The "IE 5.5 Cross Frame security vulnerability" uses JavaScript, a Web page scripting language, to bypass security features built into Internet Explorer. It allows the contents of a file to be sent back to Web server when a page containing the mischievous JavaScript is visited.

Guninski outlines this vulnerability on his Web site where he also provides a demonstration of the exploit in action. Although Microsoft is reportedly working on a fix, there is currently no patch. Guninski recommends users disable active scripting to be safe.

Security has become something of a regular concern for Microsoft's Internet Explorer browser and some experts believe this latest issue is an especially serious problem.

"It is very significant because cross site scripting was touted as a new security feature," says Greg Jones, senior security engineer with consultancy firm Information Risk Management. "They've [Microsoft] dug their own grave, to an extent."

The bug might also leave Microsoft particularly red faced considering that the software giant recently released Advanced Security Privacy, a Beta program designed to increase the security of Internet Explorer 5.5 and give users greater control over tracking features such as cookies.

Security experts stress the particular security hole poses only a minimal threat to Internet users. However, it may be better to be safe than sorry, they say. "You need to keep up to date with the news," advises Deri Jones, marketing manager for DTA Monitor. "The only way [companies] can really find out whether they are secure is to get security tested. That is where the rubber hits the road."

Take me to the Hackers News Special

What do you think? Tell the Mailroom m And read what others have said.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with Kyocera

Did you find this article useful?
46 out of 78 people found this useful


Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Online business


Company/Topic Alerts

Create a new alert from the list below:










Related Jobs

JavaScript/PHP/Java E-Trading Platforms Rare Opportunity

These are exciting times for this company and this is a rare opportunity for a JavaScript developer. This is a cross asset role with business ...

Senior Active Directory Engineer

Experience of VB Scripting will give you a strong advantage. Essential Experience - Active Directory (Expert Knowledge) - DNS (Expert Knowledge) - ...

JavaScript/AJAX Developer - Top Financial Software House - Finance

My client, a leading financial software house, is now looking for an experienced JavaScript/AJAX Developer to contribute to planning and development ...

Sentry Posts Blog

Facebook Bans Firefox 3

Ok this is the issue. Because I dared to try and access facebook with firefox 3, and all the cookies disabled, it won't let me back on there with firefox ever again, even though... More

1 comment

GoDaddy suspends travel-getaways.com d...

I'm very pleased to say that GoDaddy has suspended the travel-getaways.com domain. I blogged in June that to my surprise I had found I was the site administrator for travel-getaways.com,... More

1 comment

Hello, I知 a PC. I知 a Handheld.

Hello, I知 a PC. I知 a Handheld. Author: Eric Everson, Founder MyMobiSafe.com I have said it before and I am sure I値l say it again, mobile devices are simply replacing computers.... More

Post a comment

Featured Talkback

I wonder, who needs .asia domain? I cannot imagine, what would be useful for Microsoft.asia? Toyota.asia? Then let's register .europe (if .eu is too short). Or perhaps Microsoft.southamerica, Dell.australiaandnewzealand, Coca-Cola.africa... Sound funny? Then why not just use the global and country domains? Or perhaps it is time to drop the domains at all?

By: LadyRoot

Read full story:
Businesses advised to register .asia domains