Is it time to dump Internet Explorer?

commentary The upside of having one software company design all your applications is that it's easy to make them all interoperate. The problem is that if one program breaks, it might break another seemingly unrelated program as well. Take, for instance, Internet Explorer. You wouldn't think a problem in Internet Explorer 6 could compromise your privacy in MSN Messenger 4.x, but up until recently, it could. And unfortunately, a new patch from Microsoft does not plug all of the browser's security holes.

As previously reported, malicious users could gain access to MSN Messenger's e-mail addresses and contact lists under the right conditions.

Here's how Messenger was designed to share certain information with JavaScript- or VBSscript-enabled Web sites. Only the domains Microsoft.com, Hotmail.com, and Hotmail.msn.com should be able to see Messenger's e-mail addresses and user contact lists. Those access rules are hard-coded into Messenger itself. However, according to a post by software engineer Richard Burton on BugTraq, a clever user could gain full access to MSN Messenger information through the Windows system registry at HKEY_LOCAL-MACHINESOFTWAREMicrosoftMessengerServicePoliciesSuffixes, under the values Suffix0, Suffix1, and so on.

For some reason, Microsoft provided these empty, additional suffixes and did not bother to write-protect them, so malicious users could just add their domain to Suffix0, and gain access to the contact info. Burton notes that adding .com to Suffix0 allows all .com sites to share MSN Messenger e-mail address and user list information. For a working example of this vulnerability, click here. A fix for MSN Messenger should be available later this week.

Yet an even greater danger exists when the above MSN flaw is combined with a vulnerability in Internet Explorer 6. Together these two security holes allow malicious users to hijack your Messenger account and impersonate you online.

First reported in mid-December, this so-called document.open vulnerability also allows malicious users to read cookie data on other sites. Normally, cookie data should be accessible only to the site issuing a cookie; that site should not be able to read other sites' cookies.

However, by crafting an exploit that only has the JavaScript method document.open and no method document.close, a malicious user can read other sites' cookies, read your MIME-encoded text and HTML files, or spoof a Web site (that is, direct users to a false Web site in order to collect personal information, such as credit card numbers). Bet you didn't know your browser could do all that, did you?

For working examples of the document.open exploits, see ThePull, and for an example of the MSN hijack, click here.

Fortunately, Microsoft issued a security bulletin, MS02-005, to address six Internet Explorer 5.01, 5.5, and 6.0.vulnerabilities, including the document.open flaw and a flaw first reported on Jan. 1 by software engineer Georgi Guninski. Called the IE GetObject() vulnerability, the flaw Guninski found allows malicious users to read local files or execute rogue programs on your computer. Guninski points out on his Web site that this isn't the first vulnerability to affect GetObject() and Internet Explorer. My guess is it won't be the last.

The recent Microsoft security bulletin also addresses a variant of the iFrame vulnerability, which allows malicious code to execute automatically in Outlook and Outlook Express, a favorite of recent viruses Badtrans.B and others. Rounding out the Microsoft package are fixes for buffer overruns in HTML directives, the ability to change file names upon download, and the ability to run malicious scripts in applications such as Access 2000, even if the user has disabled scripting.

Still, MS02-005 does not patch all the reported vulnerabilities within IE 6. Software engineers Tom Gilder and Thor Larholm have documented other vulnerabilities in the browser. So what can you do when no patch is available? Guninski suggests you disable Active Scripting and avoid using Internet Explorer while surfing the Internet. Given the abundant vulnerabilities, that's not such a bad idea.