Microsoft plugs cookie hole in IE6

Microsoft has issued a patch for a hole in its Internet Explorer browser which allows hackers access to information held in unsuspecting users' cookies.

The hole, discovered by Finnish security firm Online Solutions, enables someone to code a web page in such a way that they gain access to information held on a cookie.

Microsoft played down the situation, with Windows product manager Neil Laver saying the problem was more theoretical than actual: "We have no examples of where this hole has been exploited, and to be dangerous the problem requires a number of specific conditions to be met."

He said it was rare that users would have sensitive information held on a cookie, and users would have to visit the malicious site to be in any danger.

However he accepted that in those conditions, IE6 at default settings would leave browsers vulnerable.

Microsoft has published the patch on its update site as a standard priority patch. Laver said: "We urge system administrators to apply all patches as they are issued."

Microsoft has been heavily criticised recently for releasing bug-filled software which makes users rely on a string of patches to keep themselves secure. Laver denied Microsoft suffered any more than its competitors.

Cookies are pieces of information put on your hard disk by websites to identify you to them whenever you visit that site. Some hold sensitive information such as your name, email address, and passwords.

For related news, see
Exclusive: Microsoft gifts your credit card details to fraudsters
http://www.silicon.com/a49150
Cheat Sheet: Microsoft Passport
http://www.silicon.com/a49043
Microsoft demands responsible reporting on flawed software
http://www.silicon.com/a49019
Read your boss's CV online, thanks to Microsoft...
http://www.silicon.com/a48973