Internet Explorer 7 flaw - slow news day

You know it's a slow news day when a flaw like this makes the TV news. [Or when it makes the front page of a normally respectable security site like Secunia.]

Okay, so the first thing to note is that if you try this flaw on other browsers - Internet Explorer 6 or Firefox 2.0, for instance - what happens is that the popup appears on screen without an address bar. So, if this popup is going to persuade you on Inernet Explorer 7 to click in a bad place, then it's going to persuade you even more easily to click in a bad place on Internet Explorer 6 or Firefox 2.0.

The next thing to note is that it doesn't work if your fonts are different widths from the default, for instance if you use a high-DPI font, or use larger fonts because of poor visibility, or just because you like them - the number of padding characters used has to match exactly with the width of the popup window.

Other reasons the flaw is next to useless:

  • If you enable Internet Explorer 7's ability to open popups in another tab, the flaw is totally wasted.
  • If you click anywhere in the window (and I don't suggest you do on any popup), the address is revealed.
  • If you click in the address bar, the address is revealed.
  • The flaw only works while the text in the address bar is fully selected - meaning that it's highlighted, and looks different from every respectable popup (is there such a thing?). Again, you should be aware that any time something looks different from usual, it's a warning flag at best, and probably something to be avoided.

Oh, and Internet Explorer 7 comes with a phishing filter - which I really suggest you accept - that prevents you from being lured to known phishing sites by popups such as these.

Really, there are so many down-sides to this flaw, from the perspective of a malicious person trying to actually exploit it, that it's a wonder anyone bothered to spend time typing the web page up that demonstrates it.

In a way, this demonstrates Internet Explorer 7's superiority over previous versions - if this really is the most newsworthy attack you can make, Internet Explorer 7 must be solid.

I'll restate very simply the reasons that Internet Explorer 7 is worth an install:

  1. You are required to have a version of Internet Explorer on your Windows system - it's a part of the OS.
  2. Every flaw that has been found in Internet Explorer 7 has been found in previous versions of Internet Explorer - and each one (of two) is minor and complex, so much so that despite widespread publicity for some considerable time, there are no known exploits in the wild.
  3. Internet Explorer 7 closes a huge number of avenues of attack that were present in Internet Explorer 6.

Put all that together, and it's clear that installing Internet Explorer 7 will improve your security. Whether you use it is up to you.

Whether you use Internet Explorer, Firefox, or Opera, or some other browser, from a security standpoint, installing Internet Explorer 7 is a big win. Plus, it's much easier and more fun to use.

Published Fri, Oct 27 2006 7:39 by Alun Jones

Leave a Comment

(required) 
(required) 
(optional)
(required) 
If you can't read this number refresh your screen
Enter the numbers above: