Security researchers have identified a new vulnerability in Internet Explorer that enables an attacker to steal cookies, forge Web content and run code on users machines.
The flaw, which lies in the WebBrowser control, affects IE 5.5 and 6.0. Users who have installed IE Service Pack 1 or are running Windows XP with Service Pack 1 installed are not vulnerable. However, there is currently no patch available, and exploit code for the problem has been posted to at least one security mailing list.
The vulnerability stems from how IE handles certain HTML elements, namely “frame” and “iframe.” When a specific method for referring to a document uses the iframe element, the document that is returned is the one contained within the frame. As such, there are no security restrictions in place to check whether the document is in a different domain, according to an advisory published by GreyMagic Software, the Israeli security firm that discovered the vulnerability.
“This provides free and full access to the frames Document Object Model, which allows an attacker to steal cookies from any site, gain access to content in sites, read local files and execute arbitrary programs on the clients machine,” GreyMagic said in its advisory, published Tuesday.
Normally, frames in one domain are prevented from accessing content in other frames.
The most likely attack scenario would involve an intruder sending an HTML mail message to a vulnerable user.
But anyone who has installed the cumulative patch for IE that Microsoft released in May (MS02-023), which turns off frames in the zone in which HTML mail executes, would be protected.
Microsoft officials said they are looking into GreyMagics claims.
“The Microsoft Security Response Center is thoroughly investigating this issue, just as we do with every report we receive of security vulnerabilities affecting Microsoft products. At this point in the investigation we feel strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers information,” the company said in a statement.
The Redmond, Wash., software maker also criticized GreyMagic for releasing the vulnerability report without first notifying Microsoft.
- Microsoft Warns of Critical Flaw in Outlook Express
- More Security Coverage