Remind me why people still use IE
The Register: IE 6 SP1 omits fixes for 20 outstanding flaws:
Because of the way frames (and iframes) are handled by IE version 5.5 and above, attackers are able to get to all sorts of mischief with minimal effort, including:
- Read local files from the victim’s hard drive, using a default local resource (ironically dubbed “PrivacyPolicy”) that contains frames in IE
- Execute arbitrary programs on the victim’s computer, using the woefully misnamed “PrivacyPolicy” resource
- Read a victim’s cookie and content from any remote site that contains a frame, which can lead to session-stealing and account compromise on sites containing frames—such as Hotmail
- Forge the content of any site that contains a frame. For example, the attacker could show the user a fake login screen at hotmail.com and log the results to a database
Luckily, an upgrade is available which provides immunity to all of the above vulnerabilities (sorry, I just couldn’t resist that particular dig ;) ).