I don’t know if I should laugh or cry. The Register this morning screamed the headline “IE bug leaks private details from 50m PDF files”. Bad Microsoft! Naughty Microsoft! Errr no, bollocks really.

The information leak in question comes from the fact that IE puts a footer in documents which have the URL the document was from. if you’ve loaded an HTML file from a local directory on your machine, or a network path then that URL is used in the footer.

I can’t make up my mind if the problem is with the poor reporting by the Register or a massive attention whoring attempt on behalf of the “researcher” in question, “Inferno” who is

a security researcher for a large software company who asked that his real name not be used.

Yea. Good move not being named because if that’s all you told The Register then you’ve done a shoddy job.

IEHere’s an image of what IE does; what it has done since IE3, and maybe before, but my memory becomes fuzzy. Vulnerability? No. Information leak? Yes, but no more of an information leak that putting the file path in a Word document and putting that on the web.

But that’s not my real objection. My real object is the vilification of IE. Sure IE needs vilified for a bunch of reasons, vilified, locked in stocks and made to take the blows of rotten fruit from various internet commentators. No, the problem here is Firefox. You see Firefox, that darling of lazy reporters who bring it up every time another IE security bug is found (although, to be fair it’s usually Acrobat bugs these days), well Firefox does the same thing.FF In fact Firefox puts the path at the TOP of the document when it prints. Oh noes! If it’s at the top, doesn’t that make it easier to search for or something? Doesn’t that make Firefox more insecure or something? Can I have Inferno’s job, because I think I can get my name in the papers with this sort of nonsense just as well as he or she does…

(Oh and of course you can turn off the URLs in headers or footers in both IE and Firefox and … it works)

Update: Ah here's the actual report. So it’s happening because IE puts the title of the page as the path, something Firefox does. The behaviour depends on what PDF software you’re using – mine doesn’t do this, PDF-Exchange. It’s not local files either, if it is driven off the page “title” which is passed as a print title, then it will also happen with any type of document loaded into IE which doesn’t have an HTML title tag, this for example. That would also be sent as a print title, and embedded in the document meta data, if the PDF driver performs like that. Now going from memory I think Acrobat allowed you to override the title as it “printed” – but my only laptop with Acrobat as a printer driver on it doesn’t boot any more, so I can’t experiment, so don’t take my word for it.

So bad reporting on the part of The Register, apologies to Inferno.

 

Technorati Tags: ,