Microsoft have released a security bulletin (but no patch!) to inform users that a vunerability exists in IE 5.5 and 6.0 which can allow the exposure and altering of data in cookies.
The vulnerability exists because it is possible to craft a URL that can allow sites to gain unauthorized access to user"s cookies and potentially modify the values contained in them. Because some web sites store sensitive information in a user"s cookies, it is also possible that personal information could be exposed.
Customers should consider disabling active scripting in the Internet Zone and the Intranet Zone. Customers using Outlook Express who have not set OE to use the "Restricted Sites" Zone should do so as a best practice.
Mitigating factors:
- A user must first be enticed to a malicious web site or to open an HTML e-mail containing the malformed URL.
- Users who have applied the Outlook Email Security Update are not affected by the HTML mail exploit of this vulnerability.
- Users who have set Outlook Express to use the "Restricted Sites" Zone are not affected by the HTML mail exploit of this vulnerability because the "Restricted Sites" zone sets Active Scripting to disabled. Note that this is the default setting for Outlook Express 6.0. Users of Outlook Express 6.0 should verify that Active Scripting is still disabled in the Restricted Sites Zone.