IE Unauthorized Cookie Access

IE Unauthorized Cookie Access
Reported May 19 by
Marc Slemko

  • Internet Explorer 4.x
  • Internet Explorer 5.x


    By design, the IE security model restricts cookies so that they can be read only by sites within the originator"s domain. However, by using a specially-malformed URL, it is possible for a malicious web site operator to gain access to another site"s cookie and read, add or change them. A malicious web site operator would need to entice a visiting user into clicking a link in order to access each cookie, and could not obtain a listing of the cookies available on the visitor"s system. Even after recovering a cookie, the type and amount of personal information would depend on the privacy practices followed by the site that placed it there.


    Microsoft has issued a patch for the problem.

    The patches require IE 4.01 Service Pack 2 or IE 5.01 to install. Customers using versions prior to these may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article Q262509.

    - Frequently Asked Questions: Microsoft Security Bulletin MS00-033,

    - Knowledge Base article Q262509 discusses the overall patch

    - Knowledge Base articles Q251108 and Q255676 discuss the "Frame Domain Verification" vulnerability

    - Microsoft Knowledge Base article Q258430 discusses the
    "Unauthorized Cookie Access" vulnerability

    - Microsoft Knowledge Base article Q261257 discusses the
    "Malformed Component Attribute" vulnerability

    - Microsoft Knowledge Base (KB) article Q247333,
    Web Proxy Auto-Discovery "Spoofing" May Change Proxy Settings,

    - Microsoft TechNet Security web site,

    Discovered and reported by Marc Slemko

  • Hide comments


    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.