Bad Idea!
So Microsoft announced yet another critical IE security vulnerability (shocker, I know…) that enables an attacker to access and view your computer’s entire filesystem. While the vulnerability is mitigated by IE’s Protected Mode in Vista and Win7, 66% of the Internet is still using Windows XP, and 20% of those people are still running IE6. That’s a huge attack surface.
While this once again provides an excellent argument against tying your HTML rendering engine so deeply into the operating system that such attacks are even possible in the first place, Microsoft’s proposed workaround illustrates an even WORSE idea (from the Ars piece):
… enable Internet Explorer Network Protocol Lockdown for Windows XP. It requires editing the Windows registry, but thankfully Microsoft has created a “Fix it for me” for this workaround, available at KB 980088. Just click the “Fix this problem” link and you’re good to go. The Fix It automates Network Protocol Lockdown and can be run on individual systems and deployed by enterprises through their automated systems.
Really, you’re going to let an application with open access to the Internet modify the registry because a very possibly untrusted web page told it to?! What the hell, MS?!
Also, anyone who says “well if the link triggers a security warning that’s okay then” is an idiot. The users who would most benefit from this automated resolution method are the ones least likely to either understand or care about the security implications of such an action, and because of Windows’ tedious tendency to ask the user to approve damn near everything they do, those users are going to be trained to click “OK” just to make the dialog go away. It boggles my mind that such low-level OS-impacting capabilities are exposed to such completely un-trustable resources like remote web content.
It seems like IE6 (and Windows XP in general) is becoming an ever-increasing risk to individual and corporate data security on an almost weekly basis now. I wonder how much longer it will take companies to realize that the cost of overhauling their IE6-only internal web applications is far cheaper than the cost of losing enormous piles of sensitive or even classified information to a hacker in China…
The “Fix It” link downloads an MSI. Internet exploiter does not do the modifying. You should do some research before you fly off the handle about nothing.
Comment by Hoikas on February 5, 2010 at 3:29 pm