Security vulnerabilities persist after IE 6 patch

Only days after the official release of the first service pack for Microsoft Corp.’s Internet Explorer Version 6 Web browser, security experts are raising concerns about security vulnerabilities that were not addressed by the company.

The patch release, known as “Service Pack 1” was posted Monday on Microsoft’s Web site and contains fixes for more than 300 issues with Internet Explorer 6, which was first released with the Windows XP operating system in October of 2001. Despite the fixes, however, security experts warn that significant vulnerabilities remain even after applying the patch. “Security-wise, I would say it’s pretty bad right now,” says Thor Larholm, a security researcher for Pivx Solutions LLC, a Newport Beach, California, security consulting company.

“You can do anything to anyone’s Web page with Internet Explorer 6. It’s wide open to anyone.”

Top among Larholm and other security experts’ concerns are vulnerabilities that make it possible for attackers to take advantage of holes in the web of restrictions and security rules that make up Microsoft’s Dynamic HTML (Hypertext Markup Language) Object Model, which governs the interaction of windows, dialogue boxes and Web page frames.

An advisory issued recently by the Israeli security company GreyMagic Software warns about the potential dangers, when using Internet Explorer, including Version 6 Service Pack 1, of what is referred to as “cross-frame scripting.”

Intended to make it easy to pass information back and forth to different parts of a Web page, cross-frame scripting also makes it possible for attackers, once their Web page is loaded by the Internet Explorer, to use JavaScript to change the URL (uniform resource locator) displayed in one Web page sub-frame, referred to as a “child” to match that of the main Web page or “parent,” thus circumventing a host of security rules that prohibit the free interaction between frames displaying different Internet domains. Once in control of the parent frame, the URL of that frame can be replaced with a new script that allows an attacker to read information from cookies and other files containing a user’s personal information.

And, experts say, because of the tight integration between Microsoft’s Internet Explorer browser and its other Office products, such as the popular e-mail program Outlook, there is no shortage of ways to trick unsuspecting users into visiting a Web page that a hacker controls.

“This can be done in many ways,” said Lee Dagon, a researcher at GreyMagic. “For example, some versions of Outlook Express and Outlook render e-mails sent in HTML format…this means that scripts can execute and therefore the vulnerability becomes exploitable by e-mail,” Dagon said.

While not all of the vulnerabilities Larholm identified are severe, the Denmark-based researcher said that the sheer number of different security holes make it easy for attackers to move freely once they have gained access to a machine using Internet Explorer and running Windows.

“They all add up,” Larholm said in reference to the security holes. “Some are mild, some are severe, but when you combine them, they can be devastating.”

An example of the cumulative effect of such holes can be found in an advisory posted on, a security Web site. Taking advantage of three separate Internet Explorer vulnerabilities, one reported more than a year ago, those who run the Web site were able to demonstrate how a program could be silently placed and run on a remote computer with no user interaction other than visiting an attacker’s Web page and having the Internet Explorer and Windows Media Player — both standard Microsoft Windows applications — installed.

Such vulnerabilities are particularly dangerous when coupled with an unsuspecting user, Dagon said.

“Users are generally trusting their browser to keep them safe and most of them don’t even realize that a simple Web page may be able to access their private documents,” Dagon said.

When asked for comment on the issues raised by Larholm and other security experts, a spokesperson for Microsoft said that the company firmly believes it acts in the best interest of customers, and that Microsoft’s security experts often reach different conclusions about the technical feasibility of the possible attacks identified by third-party security experts.

Despite the vulnerabilities he found, Larholm still recommends that Internet Explorer users upgrade to Service Pack 1.

“If you’re going to use Internet Explorer, I would recommend upgrading to Service Pack 1,” Larholm said. “The vulnerabilities that exist in (Internet Explorer version 6.0) Service Pack 1 exist in the 5.0, 5.5 and 6.0 browsers too, and the improvements in Service Pack 1 are adequate to justify upgrading.”

In addition, the lack of attention to vulnerabilities in other browser platforms doesn’t mean that those are more secure, Larholm said. “Even though Internet Explorer is very high profile on vulnerabilities doesn’t mean that those vulnerabilities don’t exist in other browsers as well.”

Indeed, other browsers may be just as susceptible as Internet Explorer, but are much less commonly used.

“The Netscape, Opera, and Konqueror browsers, nobody writes exploits for those (browsers) because nobody really cares,” Larholm said. “They’ll have to have more than 1 per cent or 2 per cent of users before people start to notice.”