New attack for an old browser

Shaun Nichols in San Francisco

Security experts warn of IE6 flaw…

Security experts have warned of a new vulnerability in Microsoft’s Internet Explorer 6. The US Computer Emergency Response Team (US-Cert) said that the flaw lies in the way the browser handles attempted cross-site scripting attacks. When code is embedded within a specially crafted HTML document, the security protections will not function properly, leaving the user open to attack. US-Cert believes that an attacker could execute a cross-domain scripting attack and steal cookies and security credentials without any warning to the user.

McAfee researcher Yichong Lin explained that the vulnerability was first disclosed in a Chinese security publication known as Pstzine. Lin noted that a similar concept, known as Ghost Pages, has previously been discussed by researchers.

While there is no currently available fix for the vulnerability, Firefox and Internet Explorer 7 are protected from the attack.

McAfee and US-Cert recommend that IE6 users upgrade to the latest version of the browser to avoid infection. Users who do not wish to upgrade are advised to disable scripting.