Submission + - IE7 lets passwords slip 'by design'
tweakers.net reader writes: "Visitors can have their passwords for many community sites stolen if they use Internet Explorer 7 or lower. Almost all sites that let their users host images or other binary data are vulnerable. Microsoft has been informed, but tells this bug is 'by design' (translated from Dutch).
The problem lies in the way that Internet Explorer(IE) handles binary data. Instead of following the standard (RFC2616), IE determines the content-type in a wrong way. A perfectly valid image like this one or this one is interpreted as HTML in IE. Thereby, JavaScript is executed and passwords for community sites can be stolen (because of this XSS vulnerability). Microsoft will not fix this problem before Internet Explorer 8. On my machine, passwords seem to be safe from this bug with Opera 9.21 and Firefox 2.0.0.3."