Friday, June 01, 2007

Possible Security Issue in IE on Windows XP

Conventional wisdom states that users should use non-administrative accounts for day-to-day usage on Windows XP machines to minimize exposure to malware. Windows XP even has a nice feature where an application can be executed using another user’s credentials if that application needs to run with special privileges.

An example of something that cannot be done with a non-administrative account is using Windows Update. To use Windows Update a user will typically right-click on the Internet Explorer (IE) icon, select Run As, and enter the credentials of an administrative account.

If that IE window is left open and a user clicks on a URL that appears in an e-mail message, the page will appear in the IE window with the administrative privileges instead of an IE window running as the user that is logged in. This would be very bad if the page that was loaded contained malware.

I expected Windows would open the URL in an IE window running under the logged-in users credentials. Unfortunately, IE opens the URL in the most recently opened IE window, even if that IE window is running under a different user’s credentials. This seems like a security issue to me.