Cross-Domain Vulnerability In Microsoft Internet Explorer 6
New Microsoft Internet Explorer 6 vulnerability may allow a remote, unauthenticated attacker to execute arbitrary script in the context of another domain. A proof-of-concept code for this vulnerability is already available. The vulnerability could allow an attacker to take a variety of actions, including stealing cookies, hijacking a web session, or stealing authentication credentials. At this time, Internet Explorer 7 and Firefox do not appear to be affected by this issue.
The vulnerability is caused due to an input validation error when handling the “location” or “location.href” property of a window object. The vulnerability was first published in an article in Chinese Security E-zines, called pstzine, two days ago. The issue is very similar to the “Ghost Page” issues in IE, which was originally raised by security researchers, Manuel Caballero and Fukami at Microsoft Bluehat 2008.
Until a patch is available, IE6 users should disable scripting in the browser. Another option might be an upgrade to Microsoft Internet Explorer 7 or usage of alternative browser to help mitigate the risk.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.