Security researcher Aviv Raff has discovered another Windows Cross-Site Scripting (XSS) vulnerability in Internet Explorer 7. Thankfully, though the severity of this vulnerability is high, the chance of a successful exploitation is rather low. It is, however, glaringly simple for the hackers to attempt an exploit.
Computers that are known to be vulnerable are those running Windows XP (with any or none of the service patches installed), using IE7 or IE8beta. Computers running Vista are only affected if the user explicitly disables protected mode.
Internet Explorer contains a convenience feature when printing that permits the user to optionally print an appendix page containing a table of all the links on the printing web page. Because printing runs in the lower security levels of the ‘Local Machine Zone’ rather than on the tighter ‘Internet Zone’, if any of these links contain an injected script it can run any arbitrary code almost unhindered on the user’s ma chine.
Until Microsoft deliver a patch, we suggest you leave the “print table of links” box in its default unchecked state when printing a web page. Or you could install Firefox, for free.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.