You know it’s a slow news day when a flaw like this makes the TV news. [Or when it makes the front page of a normally respectable security site like Secunia.]
Okay, so the first thing to note is that if you try this flaw on other browsers – Internet Explorer 6 or Firefox 2.0, for instance – what happens is that the popup appears on screen without an address bar. So, if this popup is going to persuade you on Inernet Explorer 7 to click in a bad place, then it’s going to persuade you even more easily to click in a bad place on Internet Explorer 6 or Firefox 2.0.
The next thing to note is that it doesn’t work if your fonts are different widths from the default, for instance if you use a high-DPI font, or use larger fonts because of poor visibility, or just because you like them – the number of padding characters used has to match exactly with the width of the popup window.
Other reasons the flaw is next to useless:
Oh, and Internet Explorer 7 comes with a phishing filter – which I really suggest you accept – that prevents you from being lured to known phishing sites by popups such as these.
Really, there are so many down-sides to this flaw, from the perspective of a malicious person trying to actually exploit it, that it’s a wonder anyone bothered to spend time typing the web page up that demonstrates it.
In a way, this demonstrates Internet Explorer 7’s superiority over previous versions – if this really is the most newsworthy attack you can make, Internet Explorer 7 must be solid.
I’ll restate very simply the reasons that Internet Explorer 7 is worth an install:
Put all that together, and it’s clear that installing Internet Explorer 7 will improve your security. Whether you use it is up to you.
Whether you use Internet Explorer, Firefox, or Opera, or some other browser, from a security standpoint, installing Internet Explorer 7 is a big win. Plus, it’s much easier and more fun to use.