Privacy Problems in Microsoft Internet Explorer – IE6 and IE7

If you use Microsoft’s Internet Explorer web browser, here are two privacy problems (security vulnerabilities) you should know about.

Most PC users use Internet Explorer. If you don’t know which web browser you are using, you are probably using Internet Explorer. Internet Explorer version 6 (IE6) comes installed with the Windows XP operating system. Internet Explorer version 7 (IE7) comes installed with the Windows Vista operating system.

Internet Explorer Security Flaw Alert
Internet Explorer version 7 asks you if you would like to make the contents of your clipboard available to a webpage that tries to access it. Version 6 just hands over the info without asking.

Internet Explorer Security Vulnerability Number One
IE6 and IE7 allow your Windows clipboard to be read by a third party that knows how to exploit this vulnerability. Microsoft learned about the problem in IE6, but rather than eliminate it in IE7, Microsoft chose to make it an optional “feature”. In other words, when you visit a web page that tries to access your clipboard using IE7, Windows asks you if you want to allow it. If you are using IE6, Windows does not even ask. It just hands over the information. Scary, huh?

Try this harmless test to see how it works. Put something in your clipboard by highlighting any text in a Word document or text document — or even this web page you are reading right now. With the text highlighted, press the CTRL key + letter C to copy the text, or go to the Edit menu and select Copy. Next, go to this web page: IE Clipboard Plunder.

If you are using IE7, you will get a message asking if you want to allow the web page to access your clipboard. If you are using IE6, you won’t get this message. You will simply see the contents of your clipboard displayed in a pink box to show you that the info has been stolen.

Of course, a malicious web page is not going to tell you that it has stolen the contents of your clipboard! Makes you wonder when the last time was that you had sensitive information in you clipboard while surfing the Web, doesn’t it?

Internet Explorer Security Vulnerability Number Two
If you use Internet Explorer (both IE6 and IE7) for FTP (to download files from your own website to your computer so that you can make changes and then upload them back onto the site), it embeds your FTP username and password in the source code files it downloads (.htm and .html). When you upload these files back to your website, the username and password are visible to anyone who views the source code in a web browser. Bottom line: Don’t use Internet Explorer for FTP.

How Are Internet Explorer Security Vulnerabilities Relevant to Web Marketing?
On some old-school websites, you can still find statements like, “This website best viewed in Internet Explorer 5.0 or higher” or, worse, “This website only displays properly in Internet Explorer 5.0 or higher.” The days of requiring visitors to use a particular browser are, for the most part, a thing of the past, although some banks and other sites with secure information still feel the need to require visitors to use Internet Explorer. Given the clipboard theft vulnerability in Internet Explorer, this is fairly ironic — even irresponsible.

One of the primary reasons Web surfers choose the Firefox browser is its improved security over Internet Explorer. Firefox does not have either of the vulnerabilities noted above. According to some sources, about 13% of those using the Internet now use Firefox. It’s a fair generalization to say that people using Firefox are more aware of security threats posed by malicious websites, phishing scams, etc. By tracking the behavior of people using different browsers, you can come up with some interesting results. For instance, Internet Explorer users may be more likely to click on online ads.

All web analytics programs, including Google Analytics, tell you the type of browser people are using when they visit your site. A more technically oriented audience is more likely to be using Firefox. If you are trying to reach the layperson, and half of the visitors coming to your site via search engines are using Firefox, you should consider changing the language on your site to appeal more to a lay audience.

You can read more on Security Fix, Brian Krebs’ washingtonpost.com blog:

Clipboard Data Theft Optional In IE 7

Internet Explorer and Your Web Site’s [FTP] Privacy

This post was originally created August 8, 2007. The Relevance to Web Marketing section was added September 2, 2007. 

Comments: 3