Internet Explorer Flaw Abets Attackers
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Internet Explorer Flaw Abets Attackers

Written By
Dennis Fisher
Dennis Fisher
Oct 16, 2002
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Security researchers have identified a new vulnerability in Internet Explorer that enables an attacker to steal cookies, forge Web content and run code on users machines.

The flaw, which lies in the WebBrowser control, affects IE 5.5 and 6.0. Users who have installed IE Service Pack 1 or are running Windows XP with Service Pack 1 installed are not vulnerable. However, there is currently no patch available, and exploit code for the problem has been posted to at least one security mailing list.

The vulnerability stems from how IE handles certain HTML elements, namely “frame” and “iframe.” When a specific method for referring to a document uses the iframe element, the document that is returned is the one contained within the frame. As such, there are no security restrictions in place to check whether the document is in a different domain, according to an advisory published by GreyMagic Software, the Israeli security firm that discovered the vulnerability.

“This provides free and full access to the frames Document Object Model, which allows an attacker to steal cookies from any site, gain access to content in sites, read local files and execute arbitrary programs on the clients machine,” GreyMagic said in its advisory, published Tuesday.

Normally, frames in one domain are prevented from accessing content in other frames.

The most likely attack scenario would involve an intruder sending an HTML mail message to a vulnerable user.

But anyone who has installed the cumulative patch for IE that Microsoft released in May (MS02-023), which turns off frames in the zone in which HTML mail executes, would be protected.

Microsoft officials said they are looking into GreyMagics claims.

“The Microsoft Security Response Center is thoroughly investigating this issue, just as we do with every report we receive of security vulnerabilities affecting Microsoft products. At this point in the investigation we feel strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers information,” the company said in a statement.

The Redmond, Wash., software maker also criticized GreyMagic for releasing the vulnerability report without first notifying Microsoft.

Related Stories:

  • Microsoft Warns of Critical Flaw in Outlook Express
  • More Security Coverage
Dennis Fisher
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information