320 - IIS-IE-Rant–More-Calm

The last post was something of a rant, however, it was serious. I do believe that Internet Explorer, as a web browser, is inherently unsafe to use on a day-to-day basis. There are two main recent bugs that have led me to this belief:

  1. A recent exploit whereby a certain character could be inserted into a URL to hide the portion of the URL after that character in both the browser’s status bar and address bar. For example http://mysafesite.com/enterMyDetails@dodgysite.com could hide the @dodgysite.com and thus make it appear that you were entering your information on a legitimate site. This has been used a lot in so-called phishing, where the attacker tries to get you to enter your bank details in full on their site. Before anyone tells me, I do know there was a similar, but less severe, version of this on Mozilla browsers. However, the address bar — which is where most people look to determine the site they are on — always displayed the full address; it was only the status bar the displayed an incorrect address.
  2. The combined IIS/Arstecnica , Microsoft themselves , the BBC and finally CERT.

Both of these bugs allow an attacker to steal sensitive details from you without you knowingly visiting a site that looks suspicious from a user’s point of view.

Take the phishing scams. Banks repeatedly tell you they will never ask for all your information in this way, so it should look suspicious to a user that the information is requested at all. However, if you do visit the sites, from a user’s view the sites in question look pretty legitimate.

However, the real risk lies in the second exploit mentioned. If a user downloads some software by choice, they a knowingly choosing to install the piece of software on their PC, warts and all. However, if a security exploit allows programs to be installed without the user’s permission, I view it as very serious indeed. This is because a locally-installed program can bypass many security provisions that are designed into a browser to stop malicious activity. Once an attacker has a program of their choosing installed on your computer they might as well be looking over your shoulder copying down your private details.

This sort of bug scares me into not using a browser. Prior to this bug, I would be happy to use IE for a short while, as long as I trusted the computer it was run on. With the demonstrated exploit of this bug, you could be tripped up whilst visiting sites you visit everyday and you believe to be safe. When you can be broken into even whilst carefully avoiding any known source of viruses and so on, you know something is wrong.

← Older
321 - CERT recommends switching browser
→ Newer
323 - Design-Absent-Without-Leave