MS02-023: Patch Available for Script in Cookies Reading Cookies Vulnerability

Article translations Article translations
Article ID: 322926 - View products that this article applies to.
This article was previously published under Q322926
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

On This Page

SYMPTOMS

An information-disclosure vulnerability that affects cookies exists in Internet Explorer. Through scripting that is contained in cookies, a malicious Web site can potentially read or change the contents of a user's cookies. These cookies might contain personal information.

To exploit this vulnerability, the attacker is likely to have to create a Web page that creates a specially formed cookie that contains the script. The attacker then must post the page on a Web site.

The vulnerability does not permit the script to access any other information on the local computer. The vulnerability also does not permit scripting to take any other actions on the computer, such as adding, changing, or deleting data. An attacker must know the exact name of the cookie to access. By itself, this vulnerability provides no means for an attacker to acquire that information.

CAUSE

This vulnerability occurs because of a flaw in how Internet Explorer determines the correct security zone for handling scripts that are embedded in cookies, and how that determination interacts with the zone classification for all cookies. Because cookies are considered to be part of the same domain under the Internet Explorer cross-domain security model, Internet Explorer treats attempts by scripts in cookies to access other cookies to be a valid operation. However, because cookies are not isolated content, but are tied to originating sites, this can provide a means for a Web site to illegally access and work with information that is contained in another site's cookie.

RESOLUTION

Internet Explorer 6

To resolve this problem, obtain the latest service pack for Internet Explorer 6. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
328548 How to Obtain the Latest Internet Explorer 6 Service Pack
The update for this problem is included in the "May 15, 2002, Cumulative Patch for Internet Explorer." For additional information about how to obtain this patch, click the article number below to view the article in the Microsoft Knowledge Base:
321232 MS02-023: May 15, 2002, Cumulative Patch for Internet Explorer

Internet Explorer 5.5 Service Pack 2

The update for this problem is included in the "May 15, 2002, Cumulative Patch for Internet Explorer." For additional information about how to obtain this patch, click the article number below to view the article in the Microsoft Knowledge Base:
321232 MS02-023: May 15, 2002, Cumulative Patch for Internet Explorer

Internet Explorer 5.5 Service Pack 1

The update for this problem is included in the "May 15, 2002, Cumulative Patch for Internet Explorer." For additional information about how to obtain this patch, click the article number below to view the article in the Microsoft Knowledge Base:
321232 MS02-023: May 15, 2002, Cumulative Patch for Internet Explorer

STATUS

Internet Explorer 6

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 6. This problem was first corrected in Internet Explorer 6 Service Pack 1.

Internet Explorer 5.5

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Explorer 5.5.

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS02-023.mspx

Properties

Article ID: 322926 - Last Review: February 27, 2014 - Revision: 4.9
APPLIES TO
  • Microsoft Internet Explorer 5.5 Service Pack 1
  • Microsoft Internet Explorer 5.5 Service Pack 2
  • Microsoft Internet Explorer 5.5 Service Pack 1
  • Microsoft Internet Explorer 5.5 Service Pack 2
  • Microsoft Internet Explorer 5.5 Service Pack 1
  • Microsoft Internet Explorer 5.5 Service Pack 2
  • Microsoft Internet Explorer 5.5 Service Pack 1
  • Microsoft Internet Explorer 5.5 Service Pack 2
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 5.5 Service Pack 1
  • Microsoft Internet Explorer 5.5 Service Pack 2
  • Microsoft Internet Explorer 6.0, when used with:
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional
    • Microsoft Windows XP Media Center Edition
    • Microsoft Windows XP Tablet PC Edition
    • Microsoft Windows 2000 Advanced Server
    • Microsoft Windows 2000 Datacenter Server
    • Microsoft Windows 2000 Professional Edition
    • Microsoft Windows 2000 Server
    • Microsoft Windows NT Server 4.0 Standard Edition
    • Microsoft Windows NT Server 4.0, Terminal Server Edition
    • Microsoft Windows NT Workstation 4.0 Developer Edition
    • Microsoft Windows Millennium Edition
    • Microsoft Windows 98 Second Edition
    • Microsoft Windows 98 Standard Edition
Keywords: 
kbnosurvey kbarchive kbbug kbfix kbsecvulnerability kbie600presp1fix kbsecurity kbie600sp1fix kbie550presp3fix kbsecbulletin kbsechack KB322926

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com