IE Unauthorized Cookie Access
Reported May 19 by
Marc Slemko

VERSIONS EFFECTED
  • Internet Explorer 4.x
  • Internet Explorer 5.x

    DESCRIPTION

    By design, the IE security model restricts cookies so that they can be read only by sites within the originator"s domain. However, by using a specially-malformed URL, it is possible for a malicious web site operator to gain access to another site"s cookie and read, add or change them. A malicious web site operator would need to entice a visiting user into clicking a link in order to access each cookie, and could not obtain a listing of the cookies available on the visitor"s system. Even after recovering a cookie, the type and amount of personal information would depend on the privacy practices followed by the site that placed it there.

    VENDOR RESPONSE

    Microsoft has issued a patch for the problem.

    The patches require IE 4.01 Service Pack 2 or IE 5.01 to install. Customers using versions prior to these may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article Q262509.

    - Frequently Asked Questions: Microsoft Security Bulletin MS00-033,
    http://www.microsoft.com/technet/security/bulletin/fq00-033.asp

    - Knowledge Base article Q262509 discusses the overall patch

    - Knowledge Base articles Q251108 and Q255676 discuss the "Frame Domain Verification" vulnerability

    - Microsoft Knowledge Base article Q258430 discusses the
    "Unauthorized Cookie Access" vulnerability

    - Microsoft Knowledge Base article Q261257 discusses the
    "Malformed Component Attribute" vulnerability

    - Microsoft Knowledge Base (KB) article Q247333,
    Web Proxy Auto-Discovery "Spoofing" May Change Proxy Settings,
    http://www.microsoft.com/technet/support/kb.asp?ID=247333

    - Microsoft TechNet Security web site,
    http://www.microsoft.com/technet/security/default.asp

    CREDITS
    Discovered and reported by Marc Slemko