Home arrow HTML arrow Internet Explorer 6 Hacks And Holes Exposed

Internet Explorer 6 Hacks And Holes Exposed

Apparently Microsoft were in a little bit of a rush to get Internet Explorer 6 out the door, and forgot to take that extra bit of time to debug and test it for security cracks and holes. In this article Mitchell talks about the latest security holes found in IE6. He shows you how to test your system for vulnerabilities and also provides links to the relevant patches and more information on the holes.

Author Info:
By: Mitchell Harper
Rating: 5 stars5 stars5 stars5 stars5 stars / 20
February 14, 2002
  1. · Internet Explorer 6 Hacks And Holes Exposed
  2. · Mmmmm... gimme cookie!
  3. · Site Impersonation: Mixed Identities
  4. · Direct file access
  5. · Conclusion

print this article

Internet Explorer 6 Hacks And Holes Exposed
(Page 1 of 5 )

In today's world you're not even safe when you’re crossing the street at 2PM on a weekday. You can't look at someone the wrong way, you can't accidentally stumble into someone, and in some countries you can't even speak your mind: if you do, the consequences are deadly. It's no different on the Internet.

For the average home user running Windows 9x, ME, 2000, or XP, it's nearly impossible to keep up with the constant bug fixes for all of your applications. Obviously, the safest way to run your computer would be to never connect to the Internet at all, but what kind of a boring life would that be?

Over the last couple of days I've spent many an hour scouring the 'net for patches, bug fixes, and updates for my Windows 2000 web server running IIS 5, because that's where I'd be most vulnerable, right? Well apparently not. I was reading a new post the other day that linked to this site. What I found on that site shocked me.

Apparently Microsoft were in a little bit of a rush to get Internet Explorer 6 out the door and forgot to take that extra bit of time to debug and test it for security cracks and holes... naughty naughty.

If you're wondering how the heck a browser can be hacked, then please allow me to explain. Firstly, Microsoft's implementation of client side JScript (Microsofts version of JavaScript) exposes some simple security flaws that allow us to use common JScript functions such as document.open and document.write to spoof another site, steal cookies, and more worryingly physically read existing files on a users machine... all through one or two lines of code.

Unfortunately, if you're using the standard version of Internet Explorer 6 then you're not safe. I've tested some code snippets with both IE6 version 6.0.2479.0006 and version 6.0.2600.0000 and both were prone to the flaws. Think of the consequences of someone being able to manipulate your local files from a remote location.

I guess this bring up the question "Is IE6 really worth it?". Considering that there are several other browsers available for free (such as Netscape 6 and Opera 5, both of which do a great job of rendering pages closely to the W3C standards), is it worth sacrificing the integrity and security of your system just to get a couple of Internet Explorer 6 options such as smart tags? /me thinks not.

Being a seasoned JavaScript programmer myself, I was curious as to how these holes could be exploited. If you visit osioniusx.com/ then you'll see a complete list of coding examples and methods used to exploit these holes. Their examples and info are great, but I wanted to actually create a couple of HTML pages to show you just how severe the holes are.

This article was not designed to encourage hacking or anything of that nature. I wrote this article because I feel that the general public have a right to know whether or not certain actions they take might compromise their data or the security of their personal computers.

By continuing to read this article you are acknowledging that if any of the code samples described in this article compromise the security of your system in any way, then the only person who can be held responsible is you.
blog comments powered by Disqus

- Does HTML5 Need a Main Element?
- Revisiting the HTML5 vs. Native Debate
- HTML5: Not for Phone Apps?
- HTML5 or Native?
- Job Hunting? Freelancer.com Lists This Quart...
- HTML5 in the News
- Report: HTML5 Mobile Performance Lags
- The Top HTML5 Audio Players
- Top HTML5 Video Tutorials
- HTML5: Reasons to Learn and Use It
- More of the Top Tutorials for HTML5 Forms
- MobileAppWizard Releases HTML5 App Builder
- HTML5 Boilerplate: Working with jQuery and M...
- HTML5 Boilerplate Introduction
- New API Platform for HTML5

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 

Developer Shed Affiliates


© 2003-2018 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials