Speaking of IE security…

I recently linked to an article stating that users of Internet Explorer have been exposed to known critical vulnerabilities for 284 days last year. That sounds bad enough but unfortunately it is not all. For example I came across a vulnerability in Internet Explorer that has been ranked “Less critical” for reasons I don’t understand. What this does — it basically eliminates same-origin checks, any web site can read contents of another site. I put up an example that can check whether you are logged in on Google or Yahoo and read out your user name — provided that you use Internet Explorer. It could just as well read out your mail or change your mail password. It could also go into your banking account if you happen to be logged in. Information on this vulnerability has been published April last year and still unpatched in both Internet Explorer 6.0 and 7.0.

Comments

  • Neglacio

    Everybody knows that IE is one of the less secure browser there is.
    And that with the lack of thorough investigation of holes by their teams… Catastrophe…

    So dead to IE, hail FIREFOX :D

    Wladimir Palant

    I have seen far too many claims that IE7 is secure. The reality is far from it – while there has certainly been much improvement, Internet Explorer still is a very bad choice. I am still waiting for Microsoft to finally drop ActiveX…

  • IceDogg

    No offense but apparently everyone doesn’t know how insecure IE is because many people are still using it and some even defend it. Claiming it’s only noobs (idiots) that don’t know how to protect them selfs that are to blame.

  • andi h.

    I wonder why almost nobody realizes the “vulnerability” of the Mozilla Foundation. Ok, in the case of Firefox at least we know who is spying on us. Because FF 2.0 is pure Google-spyware. The only question that remains: Who else will get to no all the close data collected from us.

    Wladimir Palant

    lol

  • Will

    That’s not a bug in IE. MHTML protocol is part of Outlook Express.

    Wladimir Palant

    I wondered how long it would take until somebody brings up that argument. Fact is – I don’t care where the buggy code lives. Internet Explorer exposes users to this vulnerability so Internet Explorer is to blame. At the very least its developers made sure that the MHTML protocol can be triggered from XMLHttpRequest, and I doubt many external protocols can be.

    But even if we accept this argument, Outlook Express isn’t exactly a third-party component. It is developed by the same company, it is distributed through the same channels (meaning amongst other things that it cannot be really uninstalled), it is supposed to be developed in parallel with Internet Explorer. Given all this I cannot understand why I still don’t see an Outlook Express update that would fix the issue. Is the communication inside Microsoft that bad? I doubt it.