Microsoft takes a week to issue patch for IE hole
Published: 15 Nov 2001 14:50 GMT
It has taken Microsoft almost a week to issue a patch for a serious HTML vulnerability in Internet Explorer (IE), which would allow hackers to gain access to a user's cookies and expose the sensitive information that they contain.
The exploit was discovered on 8 November, and was reported publicly rather than directly to Microsoft. On the same day, the software giant advised customers to disable Active Scripting, which would protect them from the Web-hosted and mail-bourne variants of the vulnerability. Microsoft is insisting that the patch released on 14 November represents a fast turn-around by its security team.
"The vulnerability was publicly disclosed by someone who discovered the vulnerability on 8 November, which was extremely irresponsible," said a spokesperson at Microsoft. "The immediate action that we took was to issue a work-around so that system administrators could protect themselves, and a patch was issued yesterday."
The high-risk vulnerability in IE 5.5 and 6.0 allows malicious code to gain unauthorised access to the cookies that are used to customise and retain a site's setting for a customer across multiple sessions. Because some e-commerce Web sites use cookies to store sensitive information about users, it is possible that personal information could be exposed through the software hole.
"It is a serious issue -- people have always been worried about cookies, but have never considered that the information could be used by someone else from a Web site that they run," said Mark Read, security analyst at MIS Corporate Defence Solutions.
Read thinks it unlikely that the privacy policies of e-commerce sites will allow customer credit card details to be displayed as cookie information, but there is the potential for hackers to use the information to order goods online.
Cookies are text files, saved on a computer hard drive as a unique reference for identifying individual customers. "There is no easy way to get around cookies, as there needs to be some way of placing a unique identifier on a computer to say "this is me" -- the only alternative is digital certificates," said Read.
See the Viruses and Hacking News Section for the latest headlines.
See the Net Crime News Section for the latest on hacking, fraud, viruses and related issues.
Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.
Did you find this article useful?
38 out of 91 people found this useful
- Share this article:
