Microsoft Patch Fixes 6 Critical IE Flaws
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Microsoft Patch Fixes 6 Critical IE Flaws

Written By
Dennis Fisher
Dennis Fisher
May 16, 2002
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Microsoft Corp. on Wednesday released a cumulative patch that fixes six new vulnerabilities in Internet Explorer.

Two of the flaws could enable an attacker to read files on a users machine, although there are several mitigating factors that make such an attack quite difficult.

Microsoft, of Redmond, Wash., has rated the new vulnerabilities as critical. The new patch also contains fixes for all previously discovered flaws in IE 5.01, 5.5 and 6.0.

The first of the two so-called information disclosure vulnerabilities lies in the way that an HTML object supports Cascading Style Sheets. An attacker could create a Web page or HTML mail message to exploit the vulnerability, but he would need to know the exact name and location of the file he wanted to read on the users machine. Further, the file must contain one particular ASCII character and the attacker could not add or delete any information in the file, according to Microsofts advisory.

The second such flaw allows an attacker to build a cookie that would enable him to read the information contained in other sites cookies stored on a users machine. But, again, the attacker would need to know the exact name of the cookie he wanted to read.

There is also a cross-site scripting flaw in one of the local HTML files that ship with IE. A successful exploit of the vulnerability would give an attacker the ability to execute scripts on the users machine in the Local Computer zone, which has fewer restrictions than scripts executed in other IE zones.

A similar flaw could allow attackers to run pages on users machines in the Intranet zone.

The final two vulnerabilities are variants of the content disposition problem in IE for which Microsoft issued a patch last year. They enable an attacker to construct special headers in executable files that trick IE into believing that the file is safe to download and run automatically.

The two new flaws require that the users machine be running an application that passes the malformed content back to the operating system instead of generating an error message.

Related stories:

  • Microsoft, AOL IM Flaws Uncovered
  • MS Charney Must Make Security Job One
Dennis Fisher
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information