Developer
SHARE
Facebook X Pinterest WhatsApp

Another 9 Exploits Found in IE

Written By
thumbnail
Jim Wagner
Jim Wagner
Oct 22, 2002

A performance-boosting feature found in Microsoft’s Internet Explorer 5.5 and 6 has
opened up nine vulnerabilities that can leave a user’s PC wide open for
remote exploit, according to the company that found the breach earlier this
month.

Previous IE versions, as well as IE 6.1 are unaffected by the flaw, said
officials at GreyMagic Software Tuesday, the Israeli firm who discovered
the flaw. Last week, the company publicized a flaw in IE 5.5 and 6 that lets hackers
steal Web cookies from Web sites and forge content to read local files
and execute programs in the Document Object Model (DOM).

Microsoft officials were unaware of the vulnerability at press time. After
last week’s flaw was published, they berated GreyMagic for not giving their
own engineers time to investigate the vulnerability.

Tuesday’s nine vulnerabilities all find their root in object caching, which
performs security checks when people visit Web sites. In the time it takes
for one page to unload and the other to load, these security checks
determine whether both pages are in the same security zone and domain.

The problem, according to GreyMagic engineers, is that objects that are
supposed to be inaccessible when the pages are unloaded and the references
stored become open to exploit. In essence, the assumed-to-be-inaccessible
pages are now interoperable with other documents, such as the attacker’s
page found on his or her site.

While the object caching vulnerability affects one area of the Web browser,
there are nine separate methods for exploitation. Following are the
methods and their potential impact. GreyMagic also published the exploits
to compromise the vulnerability, but internetnews.com does not
publish exploits:

  • showModalDialog – Full access in IE 5.5, “My Computer” zone access in
    IE 6.
  • external – Full DOM access on both versions.
  • createRange – Full DOM access on both versions.
  • elementFromPoint – Full DOM access on both versions.
  • getElementById – Full DOM access on both versions.
  • getElementsByName – Full DOM access on both versions.
  • getElementsByTagName – Full DOM access on both versions.
  • execCommand – read access to the loaded document.
  • clipboardData – read/write access to the clipboard, regardless of
    settings.

GreyMagic engineers recommend disabling Active Scripting until a patch is
released, or upgrading to IE 6.1.

thumbnail
Jim Wagner

Recommended for you...

thumbnail
Oracle’s NetBeans Headed to The Apache Software Foundation
Software
Oracle’s NetBeans Headed to The Apache Software Foundation
Sean Michael Kerner
Sep 13, 2016
thumbnail
Praise Be to the Dockercon 16 Demo Gods : Drink Espresso #dockercon
Software
Praise Be to the Dockercon 16 Demo Gods : Drink Espresso #dockercon
Sean Michael Kerner
Jun 20, 2016
Software
Facebook Gets Serious about Open-Source
Sean Michael Kerner
Feb 23, 2015
Security
Python 2 Gets New Security Features, Four Years After It was Supposed to Go Away
Sean Michael Kerner
Dec 16, 2014
Internet News Logo

InternetNews is a source of industry news and intelligence for IT professionals from all branches of the technology world. InternetNews focuses on helping professionals grow their knowledge base and authority in their field with the top news and trends in Software, IT Management, Networking & Communications, and Small Business.

facebook
x

Company

Contact us Advertise with us

Categories

News Enterprise Small Business Reviews Podcasts Blog Research

Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information