It would appear that I’ve accidentally uploaded an old stylesheet over the top of my new design. Hopefully I have the new design stylesheet backed up somewhere within the sprawling maze I like to call my highly-organised filesystem…

I do quite like the new design, so it would be a shame to loose it =(

The last post was something of a rant, however, it was serious. I do believe that Internet Explorer, as a web browser, is inherently unsafe to use on a day-to-day basis. There are two main recent bugs that have led me to this belief:

1. A recent exploit whereby a certain character could be inserted into a URL to hide the portion of the URL after that character in both the browser’s status bar and address bar. For example http://mysafesite.com/enterMyDetails@dodgysite.com could hide the @dodgysite.com and thus make it appear that you were entering your information on a legitimate site. This has been used a lot in so-called phishing, where the attacker tries to get you to enter your bank details in full on their site. Before anyone tells me, I do know there was a similar, but less severe, version of this on Mozilla browsers. However, the address bar — which is where most people look to determine the site they are on — always displayed the full address; it was only the status bar the displayed an incorrect address.
2. The combined IIS/Arstecnica , Microsoft themselves , the BBC and finally CERT.

Both of these bugs allow an attacker to steal sensitive details from you without you knowingly visiting a site that looks suspicious from a user’s point of view.

This article at Wired News pointed me towards a page that fully describes the Download.Ject exploit discussed in the last two posts. The page in question is written by the usually conservative CERT organisation. In a change from their normal general “use a firewall, virus scanner and keep software patched” type advice, this vulnerability gives them cause for more alarm too prompting this recommendation:

Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML).

I resurected some code I did a while ago for comments on dx13. I’ve received a few responses via email to the 1, 2 and 3), and I thought it would be interesting to allow comments on them.

I’m willing to bet there won’t be any comments because most of the people who would comment will have emails, but still, it will be available for the next time a controvertial post comes up!

This week there was a news story about IE and IIS, Microsoft’s web browser and web server respectively. It turns out there is an unpatched bug in both programs that, when exploited in concert, provide a rather nifty way for an attacker to retrieve pretty much anything from you computer without you knowing a thing.

What would happen is that the server would be exploited in such a way that IE would be tricked into installing a program from a different site entirely. Normally you would be shown a dialog box that warns you and allows you to prevent the installation. However, the attacker also takes advantage of an IE bug that allows them to bypass this security measure. This in effect allows them to install any software they wish onto your computer without you knowing or even visiting a site you wouldn’t normally visit.