Internet Explorer 7 flaw - slow news day
You know it's a slow news day when a flaw like this makes the TV news. [Or when it makes the front page of a normally respectable security site like Secunia.]
Okay, so the first thing to note is that if you try this flaw on other browsers - Internet Explorer 6 or Firefox 2.0, for instance - what happens is that the popup appears on screen without an address bar. So, if this popup is going to persuade you on Inernet Explorer 7 to click in a bad place, then it's going to persuade you even more easily to click in a bad place on Internet Explorer 6 or Firefox 2.0.
The next thing to note is that it doesn't work if your fonts are different widths from the default, for instance if you use a high-DPI font, or use larger fonts because of poor visibility, or just because you like them - the number of padding characters used has to match exactly with the width of the popup window.
Other reasons the flaw is next to useless:
- If you enable Internet Explorer 7's ability to open popups in another tab, the flaw is totally wasted.
- If you click anywhere in the window (and I don't suggest you do on any popup), the address is revealed.
- If you click in the address bar, the address is revealed.
- The flaw only works while the text in the address bar is fully selected - meaning that it's highlighted, and looks different from every respectable popup (is there such a thing?). Again, you should be aware that any time something looks different from usual, it's a warning flag at best, and probably something to be avoided.
Oh, and Internet Explorer 7 comes with a phishing filter - which I really suggest you accept - that prevents you from being lured to known phishing sites by popups such as these.
Really, there are so many down-sides to this flaw, from the perspective of a malicious person trying to actually exploit it, that it's a wonder anyone bothered to spend time typing the web page up that demonstrates it.
In a way, this demonstrates Internet Explorer 7's superiority over previous versions - if this really is the most newsworthy attack you can make, Internet Explorer 7 must be solid.
I'll restate very simply the reasons that Internet Explorer 7 is worth an install:
- You are required to have a version of Internet Explorer on your Windows system - it's a part of the OS.
- Every flaw that has been found in Internet Explorer 7 has been found in previous versions of Internet Explorer - and each one (of two) is minor and complex, so much so that despite widespread publicity for some considerable time, there are no known exploits in the wild.
- Internet Explorer 7 closes a huge number of avenues of attack that were present in Internet Explorer 6.
Put all that together, and it's clear that installing Internet Explorer 7 will improve your security. Whether you use it is up to you.
Whether you use Internet Explorer, Firefox, or Opera, or some other browser, from a security standpoint, installing Internet Explorer 7 is a big win. Plus, it's much easier and more fun to use.