Simon Willison’s Weblog

Items tagged security, ie

Filters: security × ie ×


Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attach area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.

Microsoft spokesperson # 24th September 2009, 4:49 pm

Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari. You just can’t trust browser security: Current versions of Safari, IE8 and Firefox all fell to zero-day flaws at an exploit competition. None of the vulnerabilities have been disclosed yet. # 19th March 2009, 3:30 pm

Ehy IE8, I Can Has Some Clickjacking Protection? (via) IE8 has built-in protection against clickjacking, but it’s opt-in (with a custom HTTP header) and IE only. It turns out the usual defence against clickjacking (using framebusting JavaScript) doesn’t work in IE as it can be worked around with a security=“restricted” attribute on an iframe. # 29th January 2009, 1:39 pm

Microsoft: Big Security Hole in All IE Versions. Looks like a 0-day that’s being actively exploited. # 16th December 2008, 8:26 pm

The March of Access Control. The W3C Access Control specification is set to become a key technology in enabling secure cross-domain APIs within browsers, and since it addresses a legitimate security issue on the web I hope and expect it will be rolled out a lot faster than most other specs. # 19th November 2008, 8:40 am

Flirting with mime types [PDF] (via) Different browsers have different rules for which content types will be treated as active content (and hence could be vectors for XSS attacks). IE uses a blacklist rather than a whitelist and hence rendered active content for 696 of the tested content types. # 14th April 2008, 8:18 am

HTTPOnly cookie support in Firefox. Five years after the bug was filed, HTTPOnly cookie support has gone in to the Mozilla 1.8 branch. This is a defence in depth feature that has been in IE for years—it lets you set cookies that aren’t available to JavaScript, and hence can’t be hijacked in the event of an XSS flaw. # 6th September 2007, 6:27 am

Gaping holes exposed in fully-patched IE 7, Firefox (via) Michal Zalewski released a new Firefox 2.0 vulnerability in addition to the IE cookie stealing one. # 6th June 2007, 9:57 am

IE vulnerability allows cookie stealing. Full exploit against the same-domain cookie origin policy, so malicious sites can steal cookies from elsewhere. Avoid using IE until this is patched. # 6th June 2007, 9:53 am

Zero-Day Exploit Targets IE (via) Remote code execution. No patch yet; disable Active Scripting instead. # 22nd November 2005, 6:24 am

Internet Explorer 7. It’s been announced, but the stated focus is security and anti-phishing. No news on improved CSS. # 15th February 2005, 7:04 pm

IE in Windows XP SP2. An overview of the new security changes. # 10th August 2004, 7:39 pm

Nasty new IE vulnerability

Most people reading are probably aware of the common trick whereby spammers and other assorted ne’er-do-wells publish URLs with usernames that look like hostnames to fool people in to trusting a malicious site—for example, http://www.microsoft.com&session%123123123@simon.incutio.com. This trick is frequently used by spammers to steal people’s PayPal accounts, by tricking them in to “resetting” their password at a site owned by the spammer but disguised as PayPal.com.

[... 164 words]