Comment Articles

Is it time to dump Internet Explorer?

Robert Vamosi AnchorDesk

Published: 14 Feb 2002 16:26 GMT

The upside of having one software company design all your applications is that it's easy to make them all interoperate. The problem is that if one program breaks, it might break another seemingly unrelated program as well. Take, for instance, Internet Explorer. You wouldn't think a problem in Internet Explorer 6 could compromise your privacy in MSN Messenger 4.x, but up until recently, it could. And unfortunately, a new patch from Microsoft does not plug all of the browser's security holes.

As previously reported, malicious users could gain access to MSN Messenger's email addresses and contact lists under the right conditions.

Here's how. Messenger was designed to share certain information with JavaScript- or VBSscript-enabled Web sites. Only the domains Microsoft.com, Hotmail.com, and Hotmail.msn.com should be able to see Messenger's email addresses and user contact lists. Those access rules are hard-coded into Messenger itself. However, according to a post by software engineer Richard Burton on BugTraq, a clever user could gain full access to MSN Messenger information through the Windows system registry at HKEY_LOCAL-MACHINESOFTWAREMicrosoftMessengerServicePoliciesSuffixes, under the values Suffix0, Suffix1, and so on.

For some reason, Microsoft provided these empty, additional suffixes and did not bother to write-protect them, so malicious users could just add their domain to Suffix0, and gain access to the contact info. Burton notes that adding .com to Suffix0 allows all .com sites to share MSN Messenger email address and user list information. A fix for MSN Messenger should be available later this week.

Yet an even greater danger exists when the above MSN flaw is combined with a vulnerability in Internet Explorer 6. Together these two security holes allow malicious users to hijack your Messenger account and impersonate you online.