Cookie Flaw Leaves IE Users Vulnerable to Attacks

A newly discovered flaw in the way that Internet Explorer handles Web site cookies could enable an attacker to view and edit a users personal data contained in the cookies.

The vulnerability affects all versions of IE, but is mitigated by several factors, according to a bulletin released Thursday by Microsoft Corp.

Under normal operation, Web sites are only able to access the cookies for their site on a given users machine. By crafting a URL with specific contents, an attacker could gain access to cookies for other sites and edit the contents of the files by injecting a script.

Many sites store personally identifiable information in their cookies.

However, to execute the attack, the victim must either visit a Web page or open an e-mail containing the malicious URL. Still, Microsoft has given the vulnerability a “high” severity rating for all affected systems.

The Redmond, Wash., company does not yet have a patch available but said that disabling active scripting will prevent the problem. Also, users who have either applied the Outlook E-mail Security Update or have set Outlook Express to use the Restricted Sites Zone are not vulnerable to the HTML mail portion of the attack.

Also on Thursday, Microsoft issued a warning that the patch it issued last week to fix a denial-of-service vulnerability in the Universal Plug and Play component in Windows ME contained a regression error that causes affected machines to become erratic and hangs some applications.

Similar patches for Windows 98 and Windows XP are unaffected. Microsoft has removed the Windows ME patch from its Web site and is working on an updated patch.

This is the second time in less than three weeks that Microsoft has had to retract a patch because of a regression error. In late October the company had a similar problem with a patch to repair a vulnerability in the terminal services component of Windows 2000. Instead of fixing the flaw, the patch prevented the service from working at all.