Security Flaws Found in IE 6.0 | eWeek

Security Flaws Found in IE 6.0

Verfasst von
Dennis Fisher
Dennis Fisher
Dec 14, 2001
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

Three new security vulnerabilities in Microsoft Corp.s newest Internet browser give attackers the ability execute arbitrary code and read files stored on target machines.

All of the flaws affect Internet Explorer 6.0, and two of them also affect IE 5.5. Microsoft has given all three vulnerabilities critical ratings, its most serious designation.

The most severe flaw involves the way that IE 6.0 handles content-disposition and content-type header fields. The fields, along with the URL and the hosted file data, determine how a file is handled when it is downloaded by IE, according to a Microsoft bulletin.

By altering the HTML header in a specific manner, an attacker could force IE to open an executable file upon download, without asking the user for permission. Thus, an attacker could create an HTML mail message or Web page capable of automatically running code on a vulnerable machine.

A simple workaround for this vulnerability is to disable file downloads in the Security Zone in which the file is received, most often the Internet or Intranet zones. This is not the default setting for either zone, however, so the change must be made manually.

The second flaw–affecting both IE 5.5 and 6.0–is a variant of a previously discovered problem that enables a Web-site operator to open two browsers, one in the sites domain and another on the users machine, and pass information from one to the other. This enables the attacker to read, but not modify, files on the users machine that can be opened in a browser, such as HTML or image files.

A third flaw in IE 5.5 and 6.0 under some circumstances enables an attacker to change the name of a file in the dialog box that appears when a file is being downloaded from the Internet. The vulnerability can be exploited via HTML mail or a Web page and can be used to trick users into opening malicious files.

Microsoft has included patches for all three vulnerabilities in a new roll-up package that also contains fixes for all previously discovered flaws in IE 5.5 and 6.0.

The package is available at Microsofts security site.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.