RealTime IT News

IE Users Face New Glitch

A new bug was discovered this week in Internet Explorer -- this time affecting the way the browser handles cookies.

First reported Thursday on the peacefire.org Web site, the glitch involves the way Computer bug-hunters pointed out a way to snare personal information from a "cookie" file if the victim uses Microsoft Internet Explorer and clicks on a disguised string of JavaScript code. Microsoft reports it is working on a patch for the security hole.

Bennett Haselton, who organized Peacefire as an anti-censorship group for young people, has been focused on pointing out a series of security flaws involving browsers as well as Web-based e-mail services, such as Microsoft's Hotmail.

When a user connects with a Web site, the browser looks at the address that is typed in to determine whether it should provide access to a particular cookie. By replacing slashes and a question mark in a long Internet address with an alternate string of hexadecimal characters - such as "%2f" and "%3F," the characters can be interpreted in such a way that the browser is connected with one site, but opens another specified site's cookies.

Haselton acknowledged that cookies don't generally store a user's most sensitive personal information, such as credit card numbers. However, some free e-mail sites such as Hotmail and Yahoo! use cookies to authenticate users if they were already logged in to the sites.

A determined break-in artist could harvest information from cookies for sites such as the New York Times, decipher the usernames and passwords, then try using that same login information at other Web sites, Haselton said.

There was no indications on Thursday that the technique was being used "in the wild" for malicious purposes. The vulnerability was found in all versions of IE for Windows platforms, but not in the Macintosh or Unix editions.

According to Microsoft, the security hole could cause trouble, but that there are ways to avoid problems.

"Microsoft is committed to protecting customers' information," the company said in a statement, "and we are developing a patch that eliminates a security vulnerability involving the handling of cookies by IE. We expect to deliver the patch shortly."

A security bulletin will be published to discuss the issue and advise customers how to obtain and apply the patch.

Additionally, Microsoft pointed out that customers who have used the IE Security Zones feature to disable active scripting on sites they don't trust could not be affected by this vulnerability.