Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2001.478 -- Microsoft Security Bulletin MS01-055 Cookie Data in IE Can Be Exposed or Altered Through Script Injection 9 November 2001 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Internet Explorer 5.5 Internet Explorer 6.0 Vendor: Microsoft Operating System: Windows Impact: Access Privileged Data Access Confidential Data Modify Arbitrary Files Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- - - ---------------------------------------------------------------------- Title: Cookie Data in IE Can Be Exposed or Altered Through Script Injection Date: 08 November 2001 Software: Internet Explorer Impact: Exposure and altering of data in cookies Max Risk: High Bulletin: MS01-055 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-055.asp. - - ---------------------------------------------------------------------- Issue: ====== Web sites use cookies as a way to store information on a user's local system. Most often, this information is used for customizing and retaining a site's setting for a user across multiple sessions. By design each site should maintain its own cookies on a user's machine and be able to access only those cookies. A vulnerability exists because it is possible to craft a URL that can allow sites to gain unauthorized access to user's cookies and potentially modify the values contained in them. Because some web sites store sensitive information in a user's cookies, it is also possible that personal information could be exposed. Microsoft is preparing a patch for this issue, but in the meantime customers can protect their systems by disabling active scripting. (The FAQ provides step-by-step instructions for doing this). This will protect against both the web-hosted and the mail-borne variants discussed above. When the patch is complete, Microsoft will re-release this bulletin and provide details on obtaining and using it. Mitigating Factors: ==================== - A user must first be enticed to a malicious web site or to open an HTML e-mail containing the malformed URL. - Users who have applied the Outlook Email Security Update are not affected by the HTML mail exploit of this vulnerability. - Users who have set Outlook Express to use the "Restricted Sites" Zone are not affected by the HTML mail exploit of this vulnerability because the "Restricted Sites" zone sets Active Scripting to disabled. Note that this is the default setting for Outlook Express 6.0. Users of Outlook Express 6.0 should verify that Active Scripting is still disabled in the Restricted Sites Zone. Risk Rating: ============ - Internet systems: High - Intranet systems: High - Client systems: High Patch Availability: =================== - A patch is currently under development. A work-around is available to mitigate this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms01-055.asp for information on obtaining this patch. - - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. - -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBO+s7240ZSRQxA/UrAQHg8gf6A9I1jKIOsGVNbl7viLQoBWbjC1aCFH8n JtP2vFIB182ioZP0xipj9cCncGggwQeSC96xbN8mxRhCPeKUGq0QNzoqhouZ2Dcr KzPNRDJ7+FmL9uD9m/jtCnxrUGlYtfRWs1xvhurl7IEzepP5TmxD5d5xZO/OXPzM EIW04RrZhR0pSzvfBztOhnLg8Uac9vr0+GKIqStFJNuzExXaHve6ID0/tIK6b+er Bslef6ctE0UJ70IEQ4uSZTAhNgWLJRI9oiFsD0aTFOCaCqxQpscT5AIxCnUL2651 uXQNGIUWGkC45Ybp5fxQBCN80mvJ80uwWiCTp7a2pSlKRSWq/b07uw== =q7Wz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBO+vvhSh9+71yA2DNAQG+SAP9GGPbWYbEHIY36CSdQDBzJNkqaNvSw8HZ wAG8dx6GomTcIGb9g2JooJXY1FA8S+uVZspjv2CkTTTNr3+eBn7eYjgQlfj8OlSX alWpcgZV5ZahT8koq3KNpjapWM/4WkJVNEpqA0CdJFlfd0LmfHgM17irhsyMMX6k 7fqEbk5wonM= =GoWX -----END PGP SIGNATURE-----