Internet Explorer vulnerabilities persist after Service Pack release

Key vulnerabilities in Microsoft's Internet Explorer Version 6 Web browser have not been addressed in the Service Pack that was...

Key vulnerabilities in Microsoft's Internet Explorer Version 6 Web browser have not been addressed in the Service Pack that was released on 9 September.

The patch contained fixes for more than 300 issues with Internet Explorer 6, which was first released with the Windows XP operating system in October 2001, but still left significant flaws.

Thor Larholm, researcher at security consulting company Pivx Solutions, said the situation remained "pretty bad". He warned, "You can do anything to anyone's Web page with Internet Explorer 6. It's wide open."

Security experts' chief concerns are on vulnerabilities that could allow attackers to take advantage of holes in the web of restrictions and security rules that make up Microsoft's Dynamic HTML (Hypertext Markup Language) Object Model. This governs the interaction of windows, dialogue boxes and Web page frames.

An advisory issued recently by Israeli security company GreyMagic Software warned about the potential dangers of "cross-frame scripting" when using Internet Explorer, including Version 6, Service Pack 1.

Cross-frame scripting was intended to make it easy to pass information back and forth to different parts of a Web page. However, it also makes it possible for attackers, once a user's Web page is loaded by the Internet Explorer, to use JavaScript to change the URL (uniform resource locator) displayed in one Web page sub-frame, referred to as a "child" to match that of the main Web page or "parent".

This action enabled an attacker to circumvent a number of security rules that prohibit the free interaction between frames displaying different Internet domains.

Once in control of the parent frame, the URL of that frame can be replaced with a new script that allows an attacker to read information from cookies and other files containing a user's personal information.

Experts said that this flaw and the tight integration between Microsoft's Internet Explorer browser and its other Office products, including the Outlook e-mail program, meant there were many ways an unsuspecting users could be drawn to visit a Web page controlled by a hacker.

Lee Dagon, a researcher at GreyMagic, outlined one method. "Some versions of Outlook Express and Outlook render e-mails sent in HTML format . . . this means that scripts can execute and the vulnerability becomes exploitable by e-mail," Dagon said.

Not all of the vulnerabilities Larholm identified are severe but the sheer numbers of different security holes pose problems. "They all add up," Larholm said. "Some are mild, some are severe, but when you combine them, they can be devastating."

The vulnerabilities can be particularly dangerous when coupled with an unsuspecting user, Dagon said.

"Users are generally trusting their browser to keep them safe and most of them don't even realise that a simple Web page may be able to access their private documents," Dagon said.

Microsoft said the company's security experts often reached different conclusions about the technical feasibility of the possible attacks identified by third-party security experts.

Despite the vulnerabilities he found, Larholm recommended that Internet Explorer users upgrade to Service Pack 1. He also warned that vulnerabilities exist in alternative browsers such as Netscape and Opera.

Read more on Operating systems software