Tuesday, October 24, 2006

The "First Security Hole" in IE 7

By Brian Livingston
Much was made last week about the "first vulnerability" that was supposedly found in IE 7. There is in fact a vulnerability, but it's also one that's present in IE 5 and 6, which Microsoft has never corrected, although it's easy for you to work around it. The Dutch security firm Secunia reported on October 19th that malicious Web sites could grab data from other sites that had IE 7 windows open. For example, if you happened to be logged in to your online banking application and concurrently visited a hacker site, the bad site could see information from your banking site.
Microsoft developers poo-pooed the weakness, saying in an Oct. 19 blog post that the problem actually exists in an Outlook Express component, not a part of IE 7.
I've examined this claim and find that IE 7 does have a real problem, regardless of whether the code being exploited is considered a part of Outlook Express. In addition, the SANS Internet Storm Center confirmed on October 20th that IE 7 is vulnerable.
Secunia has posted a harmless browser test page that you can use to test your own copy of IE, and I urge you to do so. The firm also provides a description of the problem in two separate advisories: one for IE 7 and the other for IE 5 and 6. I tested a workaround recommended by Secunia and found that it works. Use the Tools, Internet Options menu item in IE, select the Security tab, then change the Custom Level. Switch options to run ActiveX content to "Disable," then run Secunia's browser test again. After making this change to my copy of IE, the test no longer found that my browser was vulnerable.
Of course, no version of the Firefox browser has ever been vulnerable to the Secunia test. Until Microsoft closes this and other IE holes for good, Firefox gets my recommendation as the safest browser you can use to surf the Web.