Shaun Nichols in San Francisco
Security experts warn of IE6 flaw…
Security experts have warned of a new vulnerability in Microsoft’s Internet Explorer 6. The US Computer Emergency Response Team (US-Cert) said that the flaw lies in the way the browser handles attempted cross-site scripting attacks. When code is embedded within a specially crafted HTML document, the security protections will not function properly, leaving the user open to attack. US-Cert believes that an attacker could execute a cross-domain scripting attack and steal cookies and security credentials without any warning to the user.
McAfee researcher Yichong Lin explained that the vulnerability was first disclosed in a Chinese security publication known as Pstzine. Lin noted that a similar concept, known as Ghost Pages, has previously been discussed by researchers.
While there is no currently available fix for the vulnerability, Firefox and Internet Explorer 7 are protected from the attack.
McAfee and US-Cert recommend that IE6 users upgrade to the latest version of the browser to avoid infection. Users who do not wish to upgrade are advised to disable scripting.