Microsoft’s Internet Explorer browser is leaking the addresses, search queries and any other text its users type into its address bar.
A vulnerability in the browser permits any website you have recently visited to view anything you have typed into the address bar after you hit enter.
“When a script is executed inside an object-html tag, the location object will get confused and return the main location instead of its own,” Caballero said in the accompanying blog post. “To be precise, it will return the text written in the address bar so whatever the user types there will be accessible by the attacker.”
What it comes down to is this: the IE bug enables the website you are currently visiting as well as the website that you visit next to view your browsing history and your search queries, potentially exposing information you wouldn’t want to be made public.
Microsoft, in a statement to the media, said “Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule.”
As Caballero pointed out, however, Microsoft does not seem as vigilant about its IE browser as it is about its much newer browser, Edge.
“In my opinion, Microsoft is trying to get rid of IE without saying it. It would be easier, more honest to simply tell users that their older browser is not being serviced like Edge,” he wrote. “I firmly believe that IE should be treated like Edge in terms of security, otherwise get rid of it completely.”