There are a few good workarounds that will protect your cookie data from malicious copying. Disabling all cookies, and active scripting should prevent this attack. Remember to disable scripting in e-mail. (If using Outlook, set the e-mail content zone to "Restricted Sites". This option should be available under the security settings.) If you don't like losing the functionality of cookies and scripting, and are comfortable making changes to your system registry, the following also provides protection, while leaving these enabled. This vulnerability depends on scripting that can occur on pages loaded under the "about:" protocol. Assigning this protocol to the Restricted Sites security zone prevents pages using this protocol from running scripts. This will provide protection. You have to edit the registry to make this assignment. All the usual disclaimers about registry editing apply: it can break your system, make backups before editing, and don't do this if you don't know what you are doing. I'm not responsible if you break your system. Create a DWORD value in the registry named "about" under: [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]and set it's value to 4. You can test for vulnerability at the following page: <http://www.solutions.fi/index.cgi/extra_iebug?lang=eng> Load this into a suspected vulnerable browser and enter the URL of a site you know you have cookies set for (and don't mind exposing to this webserver). FWIW, Microsoft is blaming the discoverer of this vulnerability for irresponsibly releasing its details, even though this has been in the open for at least three weeks now (http://www.securityfocus.com/archive/1/221612) and the fix is apparently as simple as adding a single registry value. <quote source="MS"> Why isn't there a patch available for this issue? The person who discovered this vulnerability has chosen to handle it irresponsibly , and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards. </quote source="MS"> be careful out there, --rt Daniel J. Cody wrote: > http://news.cnet.com/news/0-1005-200-7828689.html > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-055.asp > > Apparently, the security hole allows malicous sites or HTML formatted > emails to read cookies from domains oursite their own. e.g. a malicous > page on ebay.com could read a cookie set by amazon.com > > No patch yet. Fix is to disable active scripting and wait.