NEWS FROM THE LAB - Friday, June 27, 2008

Internet Explorer 6 Cross-Domain Scripting Vulnerability Posted by Vulnerabilities @ 14:44 GMT

Microsoft's Internet Explorer 6 has a reported cross-domain scripting vulnerability which could potentially expose user credentials (such as usernames/passwords) and allow cookie hijack sessions.

Based on the results of our most recent poll:

Browser Poll Results

…this won't directly affect 98% of our readership.

But as Mike Clark commented, "I answered Firefox, but I filled out the survey in IE6! This is because I am at work and my boss specifically refuses to allow me to use FF".

So at least one of you has to use IE 6.

As per reports, the vulnerability exploits Internet Explorer 6 installed on Windows XP SP2/SP3. The latest version of Internet Explorer (IE 7) with its improved handling of JavaScript protocol URLs is not vulnerable.

This vulnerability has been reported to Microsoft and the research team has created a proof of concept:


If you open the link in IE 6, you'll see that the domain raffon.net has been linked to the cookie of different domain, i.e. Google.com.

It's a PoC and isn't yet known to be in the wild, but it is considered to be moderately critical as many people still use IE 6.

Vulnerability Team post by — Jay