Cookie Flaw Leaves IE Users Vulnerable to Attacks | eWeek

Cookie Flaw Leaves IE Users Vulnerable to Attacks

Écrit par
Dennis Fisher
Dennis Fisher
Nov 9, 2001
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

A newly discovered flaw in the way that Internet Explorer handles Web site cookies could enable an attacker to view and edit a users personal data contained in the cookies.

The vulnerability affects all versions of IE, but is mitigated by several factors, according to a bulletin released Thursday by Microsoft Corp.

Under normal operation, Web sites are only able to access the cookies for their site on a given users machine. By crafting a URL with specific contents, an attacker could gain access to cookies for other sites and edit the contents of the files by injecting a script.

Many sites store personally identifiable information in their cookies.

However, to execute the attack, the victim must either visit a Web page or open an e-mail containing the malicious URL. Still, Microsoft has given the vulnerability a “high” severity rating for all affected systems.

The Redmond, Wash., company does not yet have a patch available but said that disabling active scripting will prevent the problem. Also, users who have either applied the Outlook E-mail Security Update or have set Outlook Express to use the Restricted Sites Zone are not vulnerable to the HTML mail portion of the attack.

Also on Thursday, Microsoft issued a warning that the patch it issued last week to fix a denial-of-service vulnerability in the Universal Plug and Play component in Windows ME contained a regression error that causes affected machines to become erratic and hangs some applications.

Similar patches for Windows 98 and Windows XP are unaffected. Microsoft has removed the Windows ME patch from its Web site and is working on an updated patch.

This is the second time in less than three weeks that Microsoft has had to retract a patch because of a regression error. In late October the company had a similar problem with a patch to repair a vulnerability in the terminal services component of Windows 2000. Instead of fixing the flaw, the patch prevented the service from working at all.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.