A new bug was discovered this week in Internet Explorer — this time affecting the way the browser handles cookies.
First reported Thursday on the peacefire.org Web site, the glitch involves the way
Computer bug-hunters pointed out a way to snare personal information from
a “cookie” file if the victim uses Microsoft Internet Explorer and clicks on
a disguised string of JavaScript code. Microsoft reports
it is
working on a patch for the security hole.
Bennett Haselton, who organized Peacefire as an anti-censorship group for
young people, has been focused on pointing out a series of security flaws involving browsers as well as Web-based e-mail services, such as Microsoft’s Hotmail.
When a user connects with a Web site, the browser
looks at the address that is typed in
to determine whether it should provide access to a particular cookie. By
replacing slashes and a question mark in a long Internet address with an
alternate string of hexadecimal characters – such as “%2f” and “%3F,” the
characters can be interpreted in such a way that the browser is connected
with one site, but opens another specified site’s cookies.
Haselton acknowledged that cookies don’t generally store a user’s most
sensitive personal information, such as credit card numbers. However, some
free e-mail sites such as Hotmail and Yahoo! use cookies to authenticate
users if they were already logged in to the sites.
A determined break-in artist could harvest information from cookies for
sites such as the New York Times, decipher the usernames and passwords, then try
using that same login information at other Web sites, Haselton said.
There was no indications on Thursday that the technique was being used
“in the wild” for malicious purposes. The vulnerability was found in all versions of IE for Windows platforms, but not in the Macintosh or Unix editions.
According to Microsoft, the security hole could cause trouble, but that
there are ways to avoid problems.
“Microsoft is committed to protecting customers’ information,” the
company
said in a statement, “and we are developing a patch that eliminates a
security vulnerability involving the handling of cookies by IE. We expect to
deliver the patch shortly.”
A security
bulletin will be published to discuss the issue and advise customers how
to obtain and apply the patch.
Additionally, Microsoft pointed out that customers who have used the IE
Security Zones
feature to disable active scripting on sites they don’t trust could not be
affected by this vulnerability.