Internet Explorer cookies open to abuse

Microsoft has confirmed that a flaw could leave its Internet Explorer (IE) browser wide open for hackers to steal 'cookies'.

The software giant said it would repair the flaw which affects the two most recent versions of IE, estimated to be used by two thirds of the world's internet users.

Cookies are used by websites to collect details about visitors to authenticate them at future visits and to store private information. The glitch could let hackers steal information such as customer names and passwords or gain access to web-based email accounts.

Steve Culp, a security official at Microsoft, said a patch would be available soon. "It's definitely a vulnerability," he said.

According to Bennett Haselton, a 21-year-old campaigner against internet censorship who discovered the flaw, IE can be tricked into granting a hacker permission to view the contents of any cookie on a victim's computer.

Internet privacy watchdog Peacefire.org said all known versions of IE for Windows 95, 98 and NT are affected apart from IE for Macintosh and Unix. Other browsers including Netscape Navigator are not affected, said the group.

Rob Enderle, an analyst at researcher Giga Information Group, said: "[Fixing the flaw] is not as easy as it sounds and it should affect all browsers. This will be difficult to fix."

He said that the use of encrypted keys would make it difficult for would-be hackers to see what websites are sending. "You would probably need some type of a handshake between the client and server, and each request must be unique to the client," he said.

Microsoft said a security bulletin will be published at www.microsoft.com/technet/security/default.asp to discuss the issue and to advise how to apply the patch.

Last month Microsoft acknowledged a security flaw in its server software part of its Frontpage 98 web creation program.