Apparently Microsoft were in a little bit of a rush to get Internet Explorer 6 out the door, and forgot to take that extra bit of time to debug and test it for security cracks and holes. In this article Mitchell talks about the latest security holes found in IE6. He shows you how to test your system for vulnerabilities and also provides links to the relevant patches and more information on the holes.
Internet Explorer 6 Hacks And Holes Exposed - Mmmmm... gimme cookie! (Page 2 of 5 )
Cookies have taken their fair share of slack over the last couple of years, with many people insisting that cookies are not safe and that they can easily be "stolen" by another site. I, like many others, had simply dismissed this idea. If cookies are stored in a file on the visitor's computer, how can anyone access them remotely, right? It's just crazy. Indeed it is.
If you're running IE6, then the persistent cookies for any site you've visited can be stolen using two lines of JScript. Let's give this a test. Go and visit any site that lets you create a members account, but also lets you choose a "remember me for later" option. The "remember me for later" option is commonly used to allow visitors of a site to not have to re-enter their user credentials every time they re-visit the site. On smaller, less-global sites, typically a cookie is saved to the visitors' machine containing both the users login ID and password so that they can be logged in automatically the next time they visit.
Once you've created your new user account, remember the URL of the site. Create a new file named c:\cookie_steal.html and enter the following code into it:
<title> Mmmmm Gimme Cookie! </title>
url = prompt("Enter a fully qualified domain name:");
Load the page in your browser and enter the full domain name (including the http:// part) of the site that you just joined into the popup box. I won't disclose the details of the site that I joined, but here's the output in my browser:
As I'm sure you'll agree, this is one major security flaw: cookies were designed and implemented in such a way that one site could never access the cookies from another site, either by client-side code or server-side scripting technologies. I guess it would be understandable if it took 100,000 lines of code and 25 mainframe computers to get the cookies of a remote site from your PC, but using a couple of lines of JScript to do it just doesn't cut the mustard.
Think of all the ways that these cookies can be used and abused. If Joe Bloggs decides to create a page on his site that uses the JScript function above to get cookies from your PC (which could contain your user ID and password) for your online bank account and takes $10,000, them how do you prove it was him? There's no sign of forced entry, and you don't even know that your account details were stolen. Not good.
If you're using IE6, never select an option to "remember you for later". This could come back and bite you down the track, when you realize that someone has logged into one of your online accounts and has taken some of your personal data or belongings. Also, if you can live without cookies, do so. Set the security options in IE6 to notify you when cookies are being set, and only accept them if they contain jumbled data, such as an encrypted session ID or variable.