By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
The patch contained fixes for more than 300 issues with Internet Explorer 6, which was first released with the Windows XP operating system in October 2001, but still left significant flaws.
Thor Larholm, researcher at security consulting company Pivx Solutions, said the situation remained "pretty bad". He warned, "You can do anything to anyone's Web page with Internet Explorer 6. It's wide open."
Security experts' chief concerns are on vulnerabilities that could allow attackers to take advantage of holes in the web of restrictions and security rules that make up Microsoft's Dynamic HTML (Hypertext Markup Language) Object Model. This governs the interaction of windows, dialogue boxes and Web page frames.
An advisory issued recently by Israeli security company GreyMagic Software warned about the potential dangers of "cross-frame scripting" when using Internet Explorer, including Version 6, Service Pack 1.
This action enabled an attacker to circumvent a number of security rules that prohibit the free interaction between frames displaying different Internet domains.
Once in control of the parent frame, the URL of that frame can be replaced with a new script that allows an attacker to read information from cookies and other files containing a user's personal information.
Experts said that this flaw and the tight integration between Microsoft's Internet Explorer browser and its other Office products, including the Outlook e-mail program, meant there were many ways an unsuspecting users could be drawn to visit a Web page controlled by a hacker.
Lee Dagon, a researcher at GreyMagic, outlined one method. "Some versions of Outlook Express and Outlook render e-mails sent in HTML format . . . this means that scripts can execute and the vulnerability becomes exploitable by e-mail," Dagon said.
Not all of the vulnerabilities Larholm identified are severe but the sheer numbers of different security holes pose problems. "They all add up," Larholm said. "Some are mild, some are severe, but when you combine them, they can be devastating."
The vulnerabilities can be particularly dangerous when coupled with an unsuspecting user, Dagon said.
"Users are generally trusting their browser to keep them safe and most of them don't even realise that a simple Web page may be able to access their private documents," Dagon said.
Microsoft said the company's security experts often reached different conclusions about the technical feasibility of the possible attacks identified by third-party security experts.
Despite the vulnerabilities he found, Larholm recommended that Internet Explorer users upgrade to Service Pack 1. He also warned that vulnerabilities exist in alternative browsers such as Netscape and Opera.