New security flaws discovered in IE, Outlook

July 11, 2002

Researchers have discovered a new security flaw in Microsoft's Internet Explorer (IE) Web browser and Outlook e-mail client. The flaw can leave systems open to malicious code carried on Web pages or in e-mails, Thor Larholm, a Danish security researcher said Wednesday.

The hole is created by what is known as a cross-domain scripting flaw. In this case it means that HTML (Hypertext Markup Language) version 4 objects embedded in Web pages and e-mails can include code that allows an attacker to check out victims' cookie files, read their documents, and execute programs on their computer.

The bug was discovered on June 25, and information about it has been posted on several security lists since then. Larholm, who works for network security consultancy Pivx Solutions, said he had informed Microsoft of the bug the day it was discovered. In testing, Larholm has demonstrated the flaw in IE 5.5 running on both Windows 98 and Windows NT and on IE6 running on Windows 2000. The flaw also affects the Outlook and Outlook Express e-mail clients.

To fix the current problem, Larholm said that users should disable ActiveX in the security settings for Internet Explorer, or run IE and Outlook in "Restricted" mode, at least until Microsoft releases a patch.

Microsoft said a patch will be available soon.