IE7: is now the time to install it?

Danish security consultancy Secunia posted an advisory regarding an issue whereby an attacker could potentially snare log-ins and passwords from an unsuspecting IE7 user. More than two years ago, security researchers reported the same fault in IE6.

If a user visits a website specially crafted by an attacker, and then opens a "trusted" site such as a bank or e-commerce site that has a pop-up window, the attacker can put new content into the pop-up, said Thomas Kristensen, Secunia’s chief technology officer. This could enable the attacker to ask a user for financial information or passwords, he said.

When the problem was revealed in June 2004, Microsoft gave instructions for a workaround for IE6: disable the setting "Navigate sub-frames across different domains." That setting is disabled by default in IE7, but does not appear to prevent the attack, Kristensen said.

Issues:

• The problem exists in IE 6, Opera (all versions), and Firefox (all versions);
• There has never been an actual exploit of this vulnerability;
• If it ever becomes an issue, a patch will be released. But at the momet sensible use of Secure sites should keep you safe. If you have not been victimized in your past use of secure sites, you will not be victimized by continuing to use these sites you know are safe.
• IE 7 is inherently much safer than previous versions of IE and you should install it immediately.