Daily cyber threats and internet security news: network security, online safety and latest security alerts
June 27th, 2008

Cross-Domain Vulnerability In Microsoft Internet Explorer 6

New Microsoft Internet Explorer 6 vulnerability may allow a remote, unauthenticated attacker to execute arbitrary script in the context of another domain. A proof-of-concept code for this vulnerability is already available. The vulnerability could allow an attacker to take a variety of actions, including stealing cookies, hijacking a web session, or stealing authentication credentials. At this time, Internet Explorer 7 and Firefox do not appear to be affected by this issue.

The vulnerability is caused due to an input validation error when handling the “location” or “location.href” property of a window object. The vulnerability was first published in an article in Chinese Security E-zines, called pstzine, two days ago. The issue is very similar to the “Ghost Page” issues in IE, which was originally raised by security researchers, Manuel Caballero and Fukami at Microsoft Bluehat 2008.

Until a patch is available, IE6 users should disable scripting in the browser. Another option  might be an upgrade to Microsoft Internet Explorer 7 or usage of alternative browser to help mitigate the risk.

Share this item with others:

More on CyberInsecure:
  • Microsoft Discovers Flaw In Google Plug-in For Internet Explorer
  • Microsoft Internet Explorer Script Injection Vulnerability
  • Critical Internet Explorer Security Vulnerability Fixed By Microsoft
  • Critical 0-day Vulnerability In Internet Explorer 6 And 7, Exploit Already Published
  • Internet Explorer 9 Now Available To Download, Domain Dedicated To The Browser Might Be Abused Soon

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Cross-Domain Vulnerability In Microsoft Internet Explorer 6

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.