By design, the IE security model restricts cookies so that they can be read only by sites within the originator"s domain. However, by using a specially-malformed URL, it is possible for a malicious web site operator to gain access to another site"s cookie and read, add or change them. A malicious web site operator would need to entice a visiting user into clicking a link in order to access each cookie, and could not obtain a listing of the cookies available on the visitor"s system. Even after recovering a cookie, the type and amount of personal information would depend on the privacy practices followed by the site that placed it there.
Microsoft has issued a patch for the problem.
The patches require IE 4.01 Service Pack 2 or IE 5.01 to install. Customers using versions prior to these may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article Q262509.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-033,
- Knowledge Base article Q262509 discusses the overall patch
- Microsoft Knowledge Base article Q258430 discusses the
- Microsoft Knowledge Base article Q261257 discusses the
- Microsoft Knowledge Base (KB) article Q247333,
- Microsoft TechNet Security web site,