Internet Explorer hole reveals data in cookies

A newly reported vulnerability in Microsoft's Internet Explorer browser allows hackers to steal or corrupt cookie information on...

A newly reported vulnerability in Microsoft's Internet Explorer browser allows hackers to steal or corrupt cookie information on a user's desktop through a malformed URL at a Web site or in an HTML e-mail.

The vulnerability in IE 5.5 and 6.0 means a malicious site could steal personal information - such as a credit card number or home address - if other sites have stored that data on the user's hard drive.

Microsoft rated the hole as a high security risk, but has yet to release a patch. For now, the software manufacturer has urged users to do a work-around by disabling active scripts. A full explanation and instructions for the work-around are on Microsoft's TechNet site.

Microsoft spokesman Christopher Budd said the company faced a challenge in making consumers aware of the problem. "We are working with the press," said Budd. "We view the press as instrumental as getting out to the consumer base."

Budd said Microsoft was taking measures such as creating easy downloads at consumer-oriented security sites to get patches. "We've taken great pains to describe this in as plain English as possible. There's not going to be a single easy answer to this."

The vulnerability raises more questions over Microsoft's ability to securely manage personal data through its .Net and Passport services.

"I don't have faith in Passport anyway. It's like Swiss cheese," said Michele Rubenstein, a security expert in Washington and president of the EMA, a user forum within the IT user advocacy group, The Open Group.

Web sites that did not store data securely, or that stored sensitive information on cookies, were also to blame, according to Rubenstein. "A well-designed Web page should not store vital or critical information in a cookie stored on a hard disk," she said.

The scale of the problem also presents a daunting task for Microsoft in alerting consumers who may not pay attention to security bulletins and are unable to apply work-arounds.

"People like my mum, who are on the Internet, aren't aware of these things," Rubenstein said. Such people needed to have someone checking on security issues for them, she added.

In a statement, Microsoft said: "A malicious Web site with a malformed URL could read the contents of a user's cookie, which might contain personal information. In addition, it is possible to alter the contents of the cookie. This URL could be hosted on a Web page or contained in an HTML e-mail. The vulnerability results because of an unsafe handling of cookies across [Internet Explorer] zones."

Instead of restricting a Web site to access only those cookies stored on the user's hard drive, IE allows Web sites to grab cookies from other sites.

Microsoft was notified of the vulnerability on 1 November by Finnish security firm Online Solution. At first, the firm agreed to work with Microsoft on a solution, but then decided to publicise the vulnerability.

Read more on Antivirus, firewall and IDS products