February 4th, 2004
Scanit, a Brussels-based security company, has put online a Browser Security Test which tests for vulnerabilities in your web browser. There is a complete listing of the tests they run should you be interested.
I ran the test on 3 of my the big browsers (for the Windows platform, that is) and collected the results.
Results for Firebird 0.8.0+ (20040202) WinXP:
The Browser Security Test is finished. Please find the results below:
High Risk Vulnerabilities 0
Medium Risk Vulnerabilities 0
Low Risk Vulnerabilities 0
Results for Opera 7.23 WinXP:
The Browser Security Test is finished. Please find the results below:
High Risk Vulnerabilities 0
Medium Risk Vulnerabilities 0
Low Risk Vulnerabilities 0
Results for IE 6.0 WinXP:
The Browser Security Test is finished. Please find the results below:
High Risk Vulnerabilities 0
Medium Risk Vulnerabilities 0
Low Risk Vulnerabilities 0
Seems like all my browsers are safe. However, as this thread at SitePoint Community Forums shows, IE needs to be patched with the latest security patches (as mine has been) to protect it from severable major security flaws. If you haven’t, do so now by going to Windows Update in an Internet Explorer browser!
January 30th, 2004
InfoWorld reports on the new Internet Explorer security hole that allows file download extensions to be spoofed. The hole allows the site author to make it appear that a downloaded file is safe by spoofing it’s extension, when in fact it could be anything, including malicious executables.
Security company Secunia has a demo of this security hole over at their Internet Explorer File Download Extension Spoofing Test.
The author of the InfoWorld article goes so far as to say:
The possibilities are endless, and since both spoof issues appear to be unfixable, it must surely place a big question mark over Explorer’s viability as a browser.
The other aforementioned spoof issue is, of course, the URL spoofing vulnerability. Some good news on this front though, with Neowin.net reporting that Microsoft will fix this with an IE update to remove support for usernames in http urls.
Can’t say the damage hasn’t been done. Has it got your average non-technical Joe/Jane looking for alternative browsers? Maybe grandma is starting to ask for “a better Internet”? No one knows for sure, but I’m sure if this is publicized further in the mass media, there’ll be some very pleased converts.
December 10th, 2003
IE has a new security flaw which will be a major boon to spammers and frauds. This flaw allows spoofing of URLs via the http://user@domain nomenclature. For example, a fraudulent spammer could well direct victims to http://wwww.paypal.com&sessionid%123123123&@blog.codefront.net, but have it show up as http://www.paypal.com&sessionid%123456789 (of course, the fraudulent webpage has to be convincing enough to fool victims into believing they are actually at PayPal!). This works because by including a 0×01 character after the “@” character, IE hides the real location of the page!
To see it in action, fire up IE and check out this demonstration.
Source: Simon Willison
November 11th, 2003
Yup you heard that right. Popup ad blocking will appear in IE 6.05 as part of Windows XP Service Pack 2 (SP2). You’d have to wait until the first half of 2004 to get it. In the meantime, you can use these alternatives if you aren’t already:
Source: MSFN via Gemal’s Psyched Blog
July 4th, 2003
Google has recently released a beta version of it’s 2.0 version of the Google Toolbar for Internet Explorer. The Popup Blocker’s good, especially since IE doesn’t come with a built-in popup blocker like Firebird does. With Google’s buyover of Pyra’s Blogger, it isn’t surprising to see a BlogThis button, which allows you to post a blog entry on the page you’re currently at. Pretty nice, but I’d stick with MT’s bookmarklet and Trackback - not that I have a choice, since only Blogger.com is supported.
If you’re a Firebird or Mozilla user, you should really check out the Mozilla Google Toolbar.
It may seem like I’ve switched back to IE from this post, but that is not the case. I’m still a fervent Firebird user, except at work where for some reason Firebird doesn’t work because we’ve been having problems with the proxy server. That makes me a sad panda - erm, no phoenix.
Test your browser security
Comments and TrackBacks (2) | Category: Browsers 
