News

Cumulative IE Patch for Critical Cookie Problem

• By Scott Bekker
• 04/01/2002

The most serious flaw this time is a critical vulnerability in the way IE handles cookies.

"A vulnerability in the zone determination function ... could allow a script embedded in a cookie to be run in the Local Computer zone," according to the bulletin. The only mitigating factor is that the script would run with the same rights as the user.

The bulletin addresses one other newly discovered bug. It is a vulnerability in the handling of object tags that could allow an attacker to invoke an executable already present on a user's machine.

That vulnerability would be much trickier for an attacker to exploit effectively.

The patch includes all existing fixes for IE 5.01, IE 5.5 and IE 6.0.

Descriptions of the new vulnerabilities and the cumulative patch for the problems can be found here:
http://www.microsoft.com/technet/security/bulletin/MS02-015.asp.

Previous cumulative patches for Internet Explorer came out on Feb. 11, Dec. 13 and Nov. 13. Microsoft had issued two bulletins about critical security problems involving IE since the Feb. 11 cumulative patch.

A critical problem with Microsoft's XML Core Services, a component of Internet Explorer 6.0, Windows XP and SQL Server 2000, was patched on Feb. 21. The same day, Microsoft alerted users to a critical problem with the way IE handles VBScripts that could allow malicious Web page designers to read local files.