Windows Secrets

Subscribers: Sign in

Enter your e-mail address to get a free subscription.
We guarantee your privacy
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • E-Books
  • Lounge
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>Over the Horizon>Old flaws still plague Internet Explorer

Old flaws still plague Internet Explorer
Tweet

Chris mosby By Chris Mosby

The Internet is buzzing about the release of Internet Explorer 7. The Internet is also buzzing about flaws in IE 7 that are left over from IE 6.

I first wrote about one IE 6 flaw in the May 11, 2006, issue of the newsletter — and it still hasn’t been patched yet. I wonder how many other holes remain active in Microsoft’s “new” browser?

Redirection flaw in IE 6 and 7 discloses information

As I reported back in that May 11 column, a flaw in IE 6 and 7 involves an error in redirections for URLs that use the mhtml handler.

Microsoft’s Christopher Budd tried to explain in a Oct. 19 blog entry that this flaw is not due to IE but a component of Outlook Express. However, when I uninstalled Outlook Express (thank you Justice Department), the MHTML vulnerability test provided by Secunia (described below) still showed that IE 7 was vulnerable. This was on a fully patched version of Windows XP SP2.

Successful exploitation of this flaw can allow one Web site you visit to access the pages of other Web sites. For instance, if you are logged on to your online bank account with IE, a hacked Web site you’re also viewing in IE would be able to see information in the bank’s window.

What to do: Secunia suggests disabling active scripting support in both IE 6 and 7. If you’ve followed Brian’s recommended settings for IE 6, then you’re already taken care of. These settings are normally inherited by IE 7 when you upgrade. As far as IE 7 goes, Brian’s story, above, goes into detail on hardening the new browser’s settings.

After you’ve changed the Internet Options for IE, try the tests for these browsers that are linked to on Secunia’s advisory pages for IE 6 and IE 7.

Pop-up spoofing inherited in IE 7 from IE 6

Secunia reported this week a second unpatched vulnerability in Microsoft’s recently released IE 7. The flaw involves a weakness in the way that IE 7 handles the address bar on pop-up windows. When some special characters are appended to the URL, a dishonest Web site operator can display the wrong address bar in the popup.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

Related posts:

  1. More unpatched flaws in Internet Explorer
  2. More flaws emerge in Internet Explorer
  3. Internet Explorer still has holes left
  4. Another serious unpatched Internet Explorer vulnerability
  5. Internet Explorer has triple security threat
= Paid content

All Windows Secrets articles posted on 2006-10-26:

  • Top Story IE 7 needs tweaking for safety
  • Perimeter Scan Do you have HIPS in your future?
  • Woody's Windows Top timesaving tips in IE 7 and Firefox 2
  • Over the Horizon Old flaws still plague Internet Explorer
  • Patch Watch Patches have problems as IE 7 seeks deployment
  •  Show all articles on a single page
E-books

We’ve pored through years of back issues, picking the best tips, to create these ebooks:

E-book series
  • PC Maintenance Guide
  • PC Security Guide
  • Windows 7 Guide Vol 1
  • Windows 7 Guide Vol 2
  • Win XP Survival Guide
See the e-book series
Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.53
  • The sorry tale of the (un)Secure Sockets Layer 4.42
  • RPV: Win7′s least-known data-protection system 4.33
  • Recovery: the last step in total data security 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Pros and cons of a ‘keyfile’ password 4.21
  • Beating back Duku and a plethora of other threats 4.21
  • Office 2007 gets its final service pack 4.19
  • Putting Registry-/system-cleanup apps to the test 4.19
  • One year and 99 security bulletins later 4.18
  • 1.8TB external drive goes down hard 4.17
  • Don’t pay for software you don’t need — Part 3 4.16
  • Internet Explorer gets another round of patches 4.15
  • Is your free AV tool a ‘resource pig?’ 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Remote access leads to remote attacks 4.15
  • Keeping you up to date: say no to .NET — again 4.14
  • Take control of Google’s privacy policy settings 4.14
  • Office File Validation patch leads to problems 4.14
  • The advanced system-recover toolkit 4.13
  • New “419″ scam involves PayPal and Western Union 4.12
  • Readers’ best personal-privacy tips 4.11
  • Getting the most from Windows Search — Part 2 4.11
  • Re-examining Dropbox and its alternatives 4.10
  • Don’t pay for software you don’t need — Part 2 4.10
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb