The upside of having one software company design all your applications is that it's easy to make them all interoperate. The problem is that if one program breaks, it might break another seemingly unrelated program as well. Take, for instance, Internet Explorer. You wouldn't think a problem in Internet Explorer 6 could compromise your privacy in MSN Messenger 4.x, but up until recently, it could. And unfortunately, a new patch from Microsoft does not plug all of the browser's security holes.
As previously reported, malicious users could gain access to MSN Messenger's e-mail addresses and contact lists under the right conditions.
For some reason, Microsoft provided these empty, additional suffixes and did not bother to write-protect them, so malicious users could just add their domain to Suffix0, and gain access to the contact info. Burton notes that adding .com to Suffix0 allows all .com sites to share MSN Messenger e-mail address and user list information. For a working example of this vulnerability, click here. A fix for MSN Messenger should be available later this week.
Yet an even greater danger exists when the above MSN flaw is combined with a vulnerability in Internet Explorer 6. Together these two security holes allow malicious users to hijack your Messenger account and impersonate you online.
First reported in mid-December, this so-called document.open vulnerability also allows malicious users to read cookie data on other sites. Normally, cookie data should be accessible only to the site issuing a cookie; that site should not be able to read other sites' cookies.
For working examples of the document.open exploits, see ThePull, and for an example of the MSN hijack, click here.
Fortunately, Microsoft issued a security bulletin, MS02-005, to address six Internet Explorer 5.01, 5.5, and 6.0.vulnerabilities, including the document.open flaw and a flaw first reported on Jan. 1 by software engineer Georgi Guninski. Called the IE GetObject() vulnerability, the flaw Guninski found allows malicious users to read local files or execute rogue programs on your computer. Guninski points out on his Web site that this isn't the first vulnerability to affect GetObject() and Internet Explorer. My guess is it won't be the last.
The recent Microsoft security bulletin also addresses a variant of the iFrame vulnerability, which allows malicious code to execute automatically in Outlook and Outlook Express, a favorite of recent viruses Badtrans.B and others. Rounding out the Microsoft package are fixes for buffer overruns in HTML directives, the ability to change file names upon download, and the ability to run malicious scripts in applications such as Access 2000, even if the user has disabled scripting.
Still, MS02-005 does not patch all the reported vulnerabilities within IE 6. Software engineers Tom Gilder and Thor Larholm have documented other vulnerabilities in the browser. So what can you do when no patch is available? Guninski suggests you disable Active Scripting and avoid using Internet Explorer while surfing the Internet. Given the abundant vulnerabilities, that's not such a bad idea.