Security Risks Posed by Internet Explorer 10 in Windows 8 Metro

A clever function could be leveraged by phishers to steal credentials

  Comparison between fake and genuine PayPal sites in Internet Explorer 10 for Metro
Windows 8 promises a lot of innovative security features, but experts fear that many of the functionality improvements, especially the ones that come with the Metro interface, bring with them a number of risks that until now haven’t existed.

Windows 8 promises a lot of innovative security features, but experts fear that many of the functionality improvements, especially the ones that come with the Metro interface, bring with them a number of risks that until now haven’t existed.

McAfee introduces a series of articles in which they detail the risks that come with the brand new Microsoft operating system and the first piece focuses on Internet Explorer 10 in Metro.

In Metro, Internet Explorer 10 has a cleaner look, mainly because the address bar and all the buttons are not visible by default. However, this could be a great advantage for cybercriminals that specialize in phishing campaigns.

First of all, users cannot see on which domain they’re actually on. If they’re presented with a well-designed replica of a PayPal webpage, for instance, internauts who fail to bring up the address bar could easily hand over their credentials to fraudsters.

When the address bar is visible, it actually represents a great security improvement, because it turns green if a secure connection is identified.

Experts say that the address bar should be programmed to automatically reveal itself whenever the user is on a page that requests login details.

Furthermore, the fairly large number of new features such as WebSockets, HTML5, cross-domain messaging, the support for Web Workers within JavaScript apps, and postMessage all bring with them a new attack surface.

“Malware may require only active browser instances to start and propagate instead of executable control over the entire system,” McAfee Security Architect Prashant Gupta explained.

“Proactive measures from antimalware solutions would be the most effective defense in this case because JavaScript is notoriously mutable, and executing JavaScript in a browser is more common for users than running downloaded applications on the desktop.”

Comments