Will IE patch open new holes?
Published: 23 May 2002 16:30 BST
Last Wednesday, Microsoft issued a critical patch, MS02-023, which includes five different fixes for six known vulnerabilities in recent three recent releases of Internet Explorer. Got that?
However, several security experts have criticised Microsoft for not resolving the Web browser's underlying security issues, nor fully testing the patch before its release. In the end, those of you who apply the 2MB patch may find malicious users can still run scripts and perform arbitrary commands on your Internet Explorer browser.
Here's a recap of the patch's key problems.
- Microsoft reports that the cross-site scripting flaw, which allows code injected by malicious users to run in the local computer zone (despite whatever security zone had been set by the user), is now fixed. However, software engineer Thor Larholm, writing to BugTraq, says the flaw really involves the "dailogArguments" statement, and is not remedied by the latest patch.
- Microsoft says the cascading style sheets that could allow a malicious user to read -- although not change or delete -- files on a remote system is also fixed. However, software company GreyMagic reports that this fix does not work, either. To prove it, the company offers a demonstration for users to try after installing the MS02-023 patch.
- Microsoft claims the "Script within Cookies reading Cookies" flaw, which could allow a malicious user to plant a script on your computer that reads remote cookies, is fixed. However, Andreas Sandbald, an engineering student, published a workaround on BugTraq that could allow a malicious user to exploit this even after the MS02-023 patch is installed.
Previous
Did you find this article useful?
21 out of 39 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
