Security hole in IE reveals data in cookies

A newly reported vulnerability in Microsoft Corp.’s Internet Explorer allows hackers to steal or corrupt cookie information on a user’s desktop through a malformed URL at a Web site or in an HTML e-mail.

The vulnerability means a user’s personal information, such as a credit card number or home address, could be stolen by a malicious site, if other sites have stored that data on the user’s hard drive. The flaw involved Microsoft’s IE browser 5.5 and 6.0

Microsoft rates the hole as a high security risk, but hasn’t yet come out with a patch. For now, the software manufacturer urges users to do a work-around by disabling active scripts. A full explanation and instructions for the work-around are on Microsoft’s TechNet site.

Microsoft spokesman Christopher Budd said the company faces a challenge in making consumers aware of the problem. “We are working with the press. We view the press as instrumental as getting out to the consumer base. As far as getting the word out, we are going high and low… because clearly we have an interest in getting the word out.”

He said Microsoft is taking measures such as creating easy downloads at consumer-oriented security sites to get patches.

“They don’t have to worry or dig into the technical [side]. We put a lot of effort into our bulletins. We’ve taken great pains to describe this in as plain English as possible. There’s not going to be a single easy answer to this.”

The vulnerability raises more questions over Microsoft’s ability to securely manage personal data through its .Net and Passport services.

“I don’t have faith in Passport anyway. It’s like Swiss cheese. It’s just another hole in the Swiss cheese called Passport,” said Michele Rubenstein, a security expert in Washington and president of the EMA, a user forum within The Open Group, a IT user advocacy group.

To be fair, however, Rubenstein said Web sites that don’t store data securely or that store sensitive information on cookies, also must share the blame. “A well-designed Web page should not store vital or critical information in a cookie stored on a hard disk,” she said.

The magnitude of the hole also presents a daunting task for Microsoft in alerting consumers who may not pay attention to security bulletins and don’t know how to apply work-arounds.

“People like my mom, who are on the Internet, aren’t aware of these things,” Rubenstein said. “How is she going to learn about that,” she asked, unless someone is checking on security issues for her.

In the statement posted yesterday, Microsoft said, “A malicious Web site with a malformed URL could read the contents of a user’s cookie which might contain personal information. In addition, it is possible to alter the contents of the cookie. This URL could be hosted on a Web page or contained in an HTML e-mail … The vulnerability results because of an unsafe handling of cookies across [Internet Explorer] zones.”

That is, instead of restricting a Web site to access only those cookies it stored on the user’s hard drive, IE allows Web sites to grab cookies from other sites.

Microsoft was notified of the vulnerability Nov. 1 by a Finnish security firm, Online Solution Ltd, another Microsoft spokesman said. At first, the firm agreed to work with Microsoft, he said, but then decided it would be a good marketing opportunity to publicize the vulnerability.

Microsoft said on its advisory that the person who discovered this vulnerability has chosen to handle it irresponsibly and has deliberately made this issue public only a few days after reporting it to Microsoft.

Microsoft released this statement sent to the company from Online Solution’s CEO: “[F]inding and reporting of this kind of vulnerability is a great marketing opportunity for us…we are willing to postpone the publication if we can find any way to work together so that our company would otherwise benefit from this. Otherwise we don’t see any reason to not report this bug and use it for our marking purposes.”