Microsoft Patch Fixes 6 Critical IE Flaws | eWeek

Microsoft Patch Fixes 6 Critical IE Flaws

Verfasst von
Dennis Fisher
Dennis Fisher
May 16, 2002
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

Microsoft Corp. on Wednesday released a cumulative patch that fixes six new vulnerabilities in Internet Explorer.

Two of the flaws could enable an attacker to read files on a users machine, although there are several mitigating factors that make such an attack quite difficult.

Microsoft, of Redmond, Wash., has rated the new vulnerabilities as critical. The new patch also contains fixes for all previously discovered flaws in IE 5.01, 5.5 and 6.0.

The first of the two so-called information disclosure vulnerabilities lies in the way that an HTML object supports Cascading Style Sheets. An attacker could create a Web page or HTML mail message to exploit the vulnerability, but he would need to know the exact name and location of the file he wanted to read on the users machine. Further, the file must contain one particular ASCII character and the attacker could not add or delete any information in the file, according to Microsofts advisory.

The second such flaw allows an attacker to build a cookie that would enable him to read the information contained in other sites cookies stored on a users machine. But, again, the attacker would need to know the exact name of the cookie he wanted to read.

There is also a cross-site scripting flaw in one of the local HTML files that ship with IE. A successful exploit of the vulnerability would give an attacker the ability to execute scripts on the users machine in the Local Computer zone, which has fewer restrictions than scripts executed in other IE zones.

A similar flaw could allow attackers to run pages on users machines in the Intranet zone.

The final two vulnerabilities are variants of the content disposition problem in IE for which Microsoft issued a patch last year. They enable an attacker to construct special headers in executable files that trick IE into believing that the file is safe to download and run automatically.

The two new flaws require that the users machine be running an application that passes the malformed content back to the operating system instead of generating an error message.

Related stories:

  • Microsoft, AOL IM Flaws Uncovered
  • MS Charney Must Make Security Job One
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.