Anyone still defaulting their browser to Internet Explorer might want to be careful as a serious bug that leaks information has been found. The bug can result in your search habits being exposed, as whatever you type into the address bar is revealed to the host of the current website the moment you hit enter.
This is particularly concerning when address bars are no longer exclusive inputs for websites, but have the functionality of a general search bar via piggybacking off of search engines, in this case, Bing.
“When a script is executed inside an object-HTML tag, the location object will get confused and return the main location instead of its own,” security researcher Manuel Caballero wrote upon finding the bug. “To be precise, it will return the text written in the address bar so whatever the user types there will be accessible by the attacker.”
This is not the first bug made public to do with Internet Explorer, as Caballero highlights a zombie script bug that has gone unpatched for months. He suggests that Microsoft is trying to get rid of its old browser entirely, while making its new Edge browser more tantalising with added security.
“If you don’t think it’s important, then imagine what black hats can do right now: they can stay in your browser even if you navigate to a different site, which gives them plenty of time to do ugly stuff like mining digital currencies while abusing of user’s CPUs,” writes Caballero. “Also, IE has its popUp blocker is completely broken and nobody seems to care.”
Websites mining cryptocurrency via users’ CPUs has stirred quite the controversy lately, however those were law-abiding hosts pushing the boundaries a bit. With this ability in the wrong hands, users could experience much worse.
Microsoft has addressed the issue and said that it is working on a fix that is likely to arrive next Tuesday.
KitGuru Says: Leaving so many vulnerabilities in a product doesn’t bode well for the company as IE holds a sizeable 17 percent of the global market. In the meantime, I’d recommend using an alternative browser, as everyone should advisably have two browsers installed on a system minimum.