Simon Willison’s Weblog

Remind me why people still use IE

The Register: IE 6 SP1 omits fixes for 20 outstanding flaws:

Because of the way frames (and iframes) are handled by IE version 5.5 and above, attackers are able to get to all sorts of mischief with minimal effort, including:

  • Read local files from the victim’s hard drive, using a default local resource (ironically dubbed “PrivacyPolicy”) that contains frames in IE
  • Execute arbitrary programs on the victim’s computer, using the woefully misnamed “PrivacyPolicy” resource
  • Read a victim’s cookie and content from any remote site that contains a frame, which can lead to session-stealing and account compromise on sites containing frames—such as Hotmail
  • Forge the content of any site that contains a frame. For example, the attacker could show the user a fake login screen at hotmail.com and log the results to a database

Luckily, an upgrade is available which provides immunity to all of the above vulnerabilities (sorry, I just couldn’t resist that particular dig ;) ).

This is Remind me why people still use IE by Simon Willison, posted on 11th September 2002.

Next: MySQLFront vanishes

Previous: Disable CSS bookmarklet

Previously hosted at http://simon.incutio.com/archive/2002/09/11/remindMeWhyPeopleStillUseIE