SYMPTOMS
A potential security vulnerability exists in Internet Explorer versions 5.5 and 6 that may allow a malicious user to create an URL that allows a Web site to gain unauthorized access to cookies that are stored on your computer and then (potentially) modify the values that are contained in them. Because some Web sites use cookies that are stored on your computer to store sensitive information, it is also possible that personal information could be exposed.
Maliciously exploiting this vulnerability would require that a user choose to click an URL link on a page that an attacker has hosted on his or her site, or to click an URL link that is embedded in an HTML e-mail message that the attacker has sent. It cannot be automatically invoked without user interaction.
Mitigating Factors
- A user must first be convinced to visit a malicious Web site or to open an HTML e-mail message that contains the malformed URL. The user would then have to choose to click a specially formed URL link.
- Users who have applied the Microsoft Outlook E-mail Security Update are not affected by the HTML e-mail exploitation of this vulnerability.
- Users who have set Outlook Express to use the Restricted Sites zone are not affected by the HTML e-mail exploitation of this vulnerability. Note that this is the default setting for Microsoft Outlook Express 6.
RESOLUTION
IMPORTANT: This patch requires that domains that use cookies MUST only have alpha-numeric characters (or '-' or '.') in the domain name. If they do not, cookies may not work properly.
Internet Explorer 6
To resolve this problem, obtain the latest service pack for Internet Explorer 6. For additional information, click the following article number to view the article in the
Microsoft Knowledge Base:
328548 How to Obtain the Latest Internet Explorer 6 Service Pack
The "Security Update, December 13, 2001" patch is superseded by the following patch:
316059 MS02-005: February 11, 2002, Cumulative Patch for Internet Explorer
The "Security Update, December 13, 2001" patch is available at the following Microsoft Web site:
Internet Explorer 5.5
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated
Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Internet Explorer 5.5 service pack that contains this fix.
To resolve this problem immediately, download the fix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
The "Security Update, December 13, 2001" patch is superseded by the following patch:
316059 MS02-005: February 11, 2002, Cumulative Patch for Internet Explorer
The "Security Update, December 13, 2001" patch is available at the following Microsoft Web site:
NOTE: To prevent the computer from rebooting during installation, add the "/r:n." (without quotes) switch to the Q312461.exe file when you install the patch.
WORKAROUND
To work around this issue, you can disable active scripting in the Internet and Intranet zones in Internet Explorer. To prevent this vulnerability from being used when you are using the HTML rendering feature of Outlook Express, you should configure Outlook Express to use the Restricted Sites zone.
Disable Active Scripting in Internet Explorer
- Start Internet Explorer.
- On the Tools menu, click Internet Options.
- On the Security tab, click Custom Level.
- In the Settings box, click Disable under Active scripting and Scripting of Java applets.
- Click OK, and then click OK.
NOTE: If you disable active scripting in Internet Explorer and you use Microsoft Outlook Web Access (OWA) as an e-mail client, you may lose some OWA functionality. To retain full functionality in OWA, do not disable active scripting in Internet Explorer.
Enable Restricted Sites in Outlook Express
- Start Outlook Express.
- On the Tools menu, click Options.
- Click the Security tab, click Restricted sites zone (More Secure), and then click OK.
NOTE: For sites that have been disabled, or had their functionality changed by turning off active scripting, adding that site into the Trusted sites zone can enable these sites. All sites entered this way have the security settings associated with being in a trusted zone. To do this:
- Start Internet Explorer.
- On the Tools menu, click Internet Options, and then click the Security tab.
- Click to select Trusted sites, and then click Sites.
- Type the name of the web page to be listed as a trusted site, and then click Add. Repeat this process for each web page to be added to the list.
- When you have entered all the web pages to the list, click OK, and then click OK.