Time to dump Internet Explorer
The latest version of IE is 6, and it has certainly accumulated an impressive record of holes: 153 since 18 April 2001, according to the SecurityFocus Vulnerabilities Archive. There have been some real doozies in there. For instance, last August, Microsoft issued a patch that fixed a hole that the company described this way: "It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's Web site, it would be possible for the attacker to exploit this vulnerability without any other user action." Oh, is that all? Well, that's super - simply visit a Web page, and you're 0\/\/N3d, d00d!
A little over a week ago, the SecurityFocus Vulnerability Database reported the "Microsoft Internet Explorer Modal Dialog Zone Bypass Vulnerability," which "may permit cross-zone access, allowing an attacker to execute malicious script code in the context of the Local Zone." That was just one of the six reported so far this month - and we're only halfway through!
By Scott Granneman at SecurityFocus.
[ Read more ]