Microsoft Internet Explorer Security Patch: Cached Web Credentials Vulnerability 10-12-00

When a user authenticates to a secured web page via Basic Authentication, IE caches the userid and password that were used, in order to minimize the number of times the user must authenticate to the same site. By design, IE should only send the cached credentials to secured pages on the site. However, it will actually send them to non-secure pages on the site as well. If a malicious user had complete control of another user’s network communications, he could wait until another user logged onto a secured site, then spoof a request for a non-secured page in order to collect the credentials.The vulnerability does not provide a means by which the malicious user could force the other user to log onto a secure page of his choice, and could only be used to reveal credentials that had been cached during the current IE session. Note: This patch is for Internet Explorer 5.x, but not 5.5 or higher. (Internet Explorer 5.5 is not affected by this vulnerability.) The patch requires IE 5.01 SP1 or higher to install. Customers who install this patch on other versions may receive a message reading This update does not need to be installed on this system. This message is incorrect and should be ignored. Also, this venerability does affect IE 4.x; however, security patches for Internet Explorer 4.x are no longer being produced. Microsoft recommends that IE 4.x users who are concerned about this issue consider upgrading to either IE 5.01 SP1 or IE 5.5.