Critical Update for Internet Explorer 4 and 5


A "Critical Update" has been released for IE4 and IE5. It fixes three key security flaws which have little in common except for the fact they affect the same .dll file.

  1. Frame Domain Verification vulnerability. A bug in the IE5 security system may allow a parent window to open a frame that contains a file on the visitors computer and then read it. The Web site operator would need to know the name and location of the file, and could only view file types that can be opened in a browser window.
  2. Unauthorised Cookie Access vulnerability. By using a special malformed URL, it is possible for a malicious web site to gain access to the visitors cookies and read or change them. The impact of this breech will depend on the type of cookies accessed and how they are handled on the legitimate ownerÆs site.
  3. "Malformed Component Attribute" vulnerability. A more complex security hole that may allow the running of ActiveX components in IEÆs unchecked buffer.

To be vulnerable to these flaws you would need to visit a "malicious Web site" specifically aimed at the weaknesses. The security patch will fix all three issues and as an added bonus will fix the cryptic "WPAD Spoofing vulnerability". The patch can be applied to versions IE4.01 SP2, or IE5.01 which is available at www.microsoft.com or from the Patches section of cover CD. For more information see the security document MS00-033 at MicrosoftÆs site.


Category:Bugs and Fixes
Issue: August 2000

These Web pages are produced by Australian PC World © 2000 IDG Communications