As if there weren’t enough reasons not to use Internet Explorer for Windows, this week alone two new threats were discovered. The first is a Trojan horse that exploits a (still unpatched) bug found in Internet Explorer first discovered in May.
Microsoft has yet to provide a fix for the vulnerability, but is working on a patch, according to the security advisory. Security-monitoring company Secunia deems the problem “extremely critical,” its rarely given highest rating.
The vulnerability puts computers running Windows 98, Windows Millennium Edition, Windows 2000 and Windows XP at risk. An attacker could gain complete control of vulnerable systems by hosting malicious code on a Web site. Once an IE user visits the site, the malicious program would run without any user interaction.
The second is a design flaw in the way Internet Explorer handles CSS import commands and
[Unlike] classic XSS holes […] in this case the target site doesn’t have to be vulnerable to script injection. All an attacker has to do is lure a user to a malicious web page. Thousands of web sites can be exploited and there isn’t a simple solution against this attack at least until IE is fixed. That means millions of IE users are affected by this design flaw.
This vulnerability has been tested to work on a fully patched Microsoft Internet Explorer 6 browser and earlier versions are possibly vulnerable as well. Mozilla Firefox seems to adequately keep domain restrictions in CSS imports and doesn’t seem to be vulnerable to this type of attack. Opera isn’t vulnerable because it doesn’t support the
If you haven’t yet, now it’s really time to switch.