Key vulnerabilities in Microsoft's Internet Explorer Version 6 Web
browser have not been addressed in the Service Pack that was
released on 9 September.
The patch contained fixes for more than 300 issues with Internet
Explorer 6, which was first released with the Windows XP operating
system in October 2001, but still left significant flaws.
Thor Larholm, researcher at security consulting company Pivx
Solutions, said the situation remained "pretty bad". He warned,
"You can do anything to anyone's Web page with Internet Explorer 6.
It's wide open."
Security experts' chief concerns are on vulnerabilities that could
allow attackers to take advantage of holes in the web of
restrictions and security rules that make up Microsoft's Dynamic
HTML (Hypertext Markup Language) Object Model. This governs the
interaction of windows, dialogue boxes and Web page frames.
An advisory issued recently by Israeli security company GreyMagic
Software warned about the potential dangers of "cross-frame
scripting" when using Internet Explorer, including Version 6,
Service Pack 1.
Cross-frame scripting was intended to make it easy to pass
information back and forth to different parts of a Web page.
However, it also makes it possible for attackers, once a user's Web
page is loaded by the Internet Explorer, to use JavaScript to
change the URL (uniform resource locator) displayed in one Web page
sub-frame, referred to as a "child" to match that of the main Web
page or "parent".
This action enabled an attacker to circumvent a number of security
rules that prohibit the free interaction between frames displaying
different Internet domains.
Once in control of the parent frame, the URL of that frame can be
replaced with a new script that allows an attacker to read
information from cookies and other files containing a user's
personal information.
Experts said that this flaw and the tight integration between
Microsoft's Internet Explorer browser and its other Office
products, including the Outlook e-mail program, meant there were
many ways an unsuspecting users could be drawn to visit a Web page
controlled by a hacker.
Lee Dagon, a researcher at GreyMagic, outlined one method. "Some
versions of Outlook Express and Outlook render e-mails sent in HTML
format . . . this means that scripts can execute and the
vulnerability becomes exploitable by e-mail," Dagon said.
Not all of the vulnerabilities Larholm identified are severe but
the sheer numbers of different security holes pose problems. "They
all add up," Larholm said. "Some are mild, some are severe, but
when you combine them, they can be devastating."
The vulnerabilities can be particularly dangerous when coupled with
an unsuspecting user, Dagon said.
"Users are generally trusting their browser to keep them safe and
most of them don't even realise that a simple Web page may be able
to access their private documents," Dagon said.
Microsoft said the company's security experts often reached
different conclusions about the technical feasibility of the
possible attacks identified by third-party security experts.
Despite the vulnerabilities he found, Larholm recommended that
Internet Explorer users upgrade to Service Pack 1. He also warned
that vulnerabilities exist in alternative browsers such as Netscape
and Opera.