 | By Chris Mosby Among the patches Microsoft released on Patch Tuesday this week is yet another cumulative rollup for the company’s Internet Explorer browser. But an IE flaw that’s been present at least since 2004 is still unpatched, because Microsoft never released a patch for IE 6 and allowed the flaw to remain in IE 7. |
IE feature reveals usernames and passwords
Brian Krebs, who writes a computer security blog for the Washington Post, recently reported a flaw in IE that he learned about while attending the recent DEFCON hacker conference in Las Vegas.
Krebs says he learned that IE 6 and 7 cause your FTP (File Transfer Protocol) username and password to be saved into any .htm, .html, or .mht file that you download to your local computer.
If you modify and then upload that file from your computer back to the FTP server, all someone has to do is view the source of that file and your FTP credentials are in plain sight. With that information, a hacker could do just about anything to your Web site that he or she wanted.
According to Krebs, his source says Microsoft was informed about this problem in IE 6, way before IE 7 was released. Microsoft allegedly told Krebs’ source that it would take a rebuilding of the entire feature to fix the problem.
Related posts:
