IE 6 Privacy Features Open Users To Attack

Discussion in 'other security issues & news' started by Technodrome, Apr 24, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Feb 13, 2002
    New York
    More news on IE6 privacy  o_O

    Security flaws in privacy features added to Microsoft's Web browser could enable attackers to perform several privacy-robbing attacks, including hijacking victims' MSN Messenger accounts, a security researcher warned.
    According to Thor Larholm, a developer with Denmark-based Internet portal, "severe" bugs in the "Privacy Report" feature in Internet Explorer version 6 can be exploited "in effect removing all privacy."

    Last week, Larholm posted an advisory and harmless demonstrations of the flaws at his personal Web site. One example showed how the browser bugs enable a Web site to launch programs that exist on the user's hard disk. Another demo page silently sends a message to users in the target's MSN Messenger contact list.

    "Hello, my MSN has just been h4><0r3d. However, this is nothing to be worried about. Your MSN is fine. The person who sent this would probably like a reply though, to show that it worked," read the instant message transmitted by Larholm's demonstration.

    Larholm said the IE flaws also enable an attacker to steal a victim's browser cookies. Cookie files are sometimes used by the browser to authenticate users and allow them to access sites. Larholm did not provide a demonstration of the cookie-stealing exploit.

    According to Larholm, he notified Microsoft about the IE vulnerabilities on March 18. The researcher said he decided to publicize his findings because he felt Microsoft was not giving the flaws proper consideration.

    "After a month, they are still only at a stage where they are considering whether to patch it," said Larholm in an interview today.

    A Microsoft representative said the company was still investigating the issue and declined further comment.

    Larholm said the security flaws lie in an IE feature for creating dialog windows. The browser fails to perform proper validation checking when a privacy dialog window interacts with a remote site, he said.

    By clicking an icon in the browser's status bar, IE 6 users can view a privacy report when they visit a site. The report enables users to control how the browser handles cookies from the site and to view its privacy policy.

    Disabling IE's use of JavaScript prevents the flaws from being exploitable, according to Larholm.

    In response to Larholm's advisory, GreyMagic Software of Israel said it found similar dialog-related flaws in another IE resource named Analyze.dlg. According to GreyMagic, earlier versions of Microsoft's browser, including IE 5 and IE 5.5, as well as IE 6, are vulnerable to the attack.

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.