Be careful if your users are running versions of Microsoft Internet Explorer earlier than 5.5. If they surf past the wrong Web page, a malicious user can capture any password or username created or entered during the current online session. This vulnerability was recently discovered and is detailed in Microsoft Security Bulletin MS00-076. Microsoft no longer supports Internet Explorer 4.x, so users of Internet Explorer 4.x who are concerned about this vulnerability must upgrade to version 5.5. Otherwise, they must install an earlier version of Internet Explorer 5.x and then download a patch from Microsoft’s site.
If you decide to use the patch, you will also need Internet Explorer 5.01 SP1 to complete the installation. When installing the patch, you may get a message reporting, "This update does not need to be installed on this system." You should ignore the message; installing the update really is necessary.
Internet Explorer's basic user authentication caches passwords to make it easy for users to continue using sites after they initially log on. The browser is supposed to restrict access to this logon information to the secure pages associated with the same site. The problem is that the listed versions of Internet Explorer will also send the authentication data to any nonsecure page at that site. Microsoft says that the danger for Internet Explorer users is the possibility that a malicious user with access to the network could spoof a request when an authorized user logs on.
According to Microsoft, if you have already upgraded your users to Internet Explorer 5.5, there's no need to take any action regarding this vulnerability. If you need further details, Microsoft Knowledge Base article Q273868 addresses this issue.
Have a comment?
If you'd like to share your opinion, start a discussion below or send the editor an e-mail.