Password leaks in Internet Explorer
A security issue in Internet Explorer means all your passwords could have been at risk, but what is the extent of the problem? Is it as bad as it sounds, or is it journalistic hype?
You may have heard the recent news stories about the security flaw in Internet Explorer 7, Microsoft's flagship browser, its most secure browser. The flaw allows hackers to steal user names and passwords, even from fully patched and up to date Windows systems, and without needing to infect your PC with malicious software. Listening to the news reports, you could be forgiven for thinking that anyone who has turned on their PC in the last couple of months has become a victim. But what is the reality.
Firstly, the problem is not confined to IE7. Both IE6 and IE8 Beta are equally vulnerable and it involves the way in which Internet Explorer saves your user names and passwords and auto-completes login forms for you. Whilst all the major browsers do this, the flaw in IE is that it does not tie your saved user names and passwords to specific domains. Hence, if you do no more than visit a website containing malicious javascript code then it is possible for that code to surreptitiously obtain some of the saved passwords from your browser and relay that information to the would-be hacker's website.
According to Internet security organisations, rumours began circulating earlier in the year about an IE7 password vulnerability. The code to exploit this flaw was trading on the black market in November 2008 for $15,000, which clearly illustrates the value of stolen passwords to the criminal fraternity. Showing that their is no honour amongst thieves, second and third hand pirate copies of the code were selling for around $650 at the start of December, and its existence became widely known when a Chinese security team released details of it after mistakenly believing that Microsoft had patched the flaw in its latest monthly updates. In response to this threat, Microsoft has rushed out emergency patches for all versions of its browser.
The way that the hackers deploy these exploits is by embedding the javascript code into hundreds of thousands of websites worldwide, typically sites hosting forums, bulletin boards, blogs, sites with insecure content management systems and insecure SQL servers. Unfortunately, there are a great many apparently respectable websites which do not properly check the submissions to their forums, do not screen out javascript and HTML, and end up as unwitting hosts to these malicious programs. Subsequently, people visiting those respectable websites are exposed to the password-stealing scripts hidden within their pages. Microsoft estimates that as many as 0.2% of all Internet users could have been to one of these compromised sites and Sophos says that the number of infected web pages is growing at 20,000 pages per day.
If you haven't already done so, please make sure that your Windows and browser software is up to date and fully patched. It costs nothing to download the updates and it is a fully automated procedure.
22nd December 2008
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content.