June 9, 2004
R.I.P. IE 1995-2004
This may very well be the last nail in Internet Explorer's coffin. While reviewing my junk mail this morning I came across the latest in a series of IE exploits used in credit card and identity theft.
The email was a run-of-the-mill forgery purporting to be from eBay. The message contained a link to a replica of the eBay login page, whose sole purpose was to harvest logins and personal information. Call me Captain Obvious, but the IP address in the address bar was a dead giveaway. I was about to move on when my curiosity got the better of me and I decided to see what the page looked like in IE (Firefox being my default).
When viewed in Internet Explorer 5.5-6.0, I was surprised to see an eBay URL in the address bar instead of the actual one. Since I had already installed the patch for a similar vulnerability several months prior, I knew something new was afoot.
The source quickly revealed what was happening. IE has a proprietary function, createPopup, that allows you to create custom popup windows on a web page. These windows may be positioned anywhere, have no chrome and always close when the user clicks away from them. In this case, a popup is used to overlay the actual address with a false one.
The exploit is extremely simple:
- A popup window is created containing the URL being spoofed (EBay in this case), formatted to look like the text in the address bar.
- A listener is added so that if the popup is about to close—that is, the user clicks away and the unload event fires—the show method is called to ensure it stays visible.
- Whenever the show method is called, the dimensions and position of the popup are recalculated so that it fits within the bounds of the address bar and overlays the real address. That way, if the browser window is moved or resized, the popup follows it accordingly.
While there were some reports of this exploit in May, there has been no media attention since then and it has remained relatively unknown despite its severity. Odds are it will continue to get worse until action is taken, but by then it may be too late for Internet Explorer.
I say this is the end of IE not because this exploit is being used in new and unanticipated ways. Rather, this is the end because Microsoft is in a lose-lose situation and for many users this will be the last straw. This exploit is unique in that it is based on a feature that is intrinsic to IE. For better or worse, many web sites and intranet applications depend on the createPopup function for things such as custom menus, dialogs and other legitimate uses. It is virtually impossible for Microsoft to patch this vulnerability without crippling these users. But to leave it as-is would be an even bigger disaster.