Slashdot Mirror

New submitter CheckeredShirt writes: Vulnerability aggregator Secunia just announced on a forum post that they will no longer provide public access to advisories newer than 9 months. According to Secunia they, "frequently encounter organizations engaged in wrongful use of Secunia Advisories," and that VIM customers, "have full access to all advisories." While Secunia is under no obligation to provide their aggregated vulnerabilities they've been doing it for over 10 years. The information they provide is primarily from public sources.

New submitter CheckeredShirt writes: Vulnerability aggregator Secunia just announced on a forum post that they will no longer provide public access to advisories newer than 9 months. According to Secunia they, "frequently encounter organizations engaged in wrongful use of Secunia Advisories," and that VIM customers, "have full access to all advisories." While Secunia is under no obligation to provide their aggregated vulnerabilities they've been doing it for over 10 years. The information they provide is primarily from public sources.

benjymouse writes "Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blog post titled 'More lies from Secunia.' It seems that Secunia and Jean-Baptiste Kempf have different views on whether a vulnerability has been patched. At one point VLC threatened legal action unless Secunia updated their SA51464 security advisory to show the issue as patched. While Secunia changed the status pending their own investigation, they later reverted to 'unpatched.' Secunia claimed that they had PoC illustrating that the root issue still existed and 3rd party confirmation (an independent security researcher found the same issue and reported it to Secunia)." There are two bugs: one is a vulnerability in ffmpeg's swf parser that vlc worked around since they don't support swf. The VLC developers think Secunia should have reported the bug to ffmpeg, which seems pretty sensible. The other bug is an uncaught exception in the Matroska demuxer with overly large chunks that merely results in std::terminate being called; the Matroska demux maintainer apologized, but, despite dire warnings from Secunia that it could be exploitable, it most certainly is not.

benjymouse writes "Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blog post titled 'More lies from Secunia.' It seems that Secunia and Jean-Baptiste Kempf have different views on whether a vulnerability has been patched. At one point VLC threatened legal action unless Secunia updated their SA51464 security advisory to show the issue as patched. While Secunia changed the status pending their own investigation, they later reverted to 'unpatched.' Secunia claimed that they had PoC illustrating that the root issue still existed and 3rd party confirmation (an independent security researcher found the same issue and reported it to Secunia)." There are two bugs: one is a vulnerability in ffmpeg's swf parser that vlc worked around since they don't support swf. The VLC developers think Secunia should have reported the bug to ffmpeg, which seems pretty sensible. The other bug is an uncaught exception in the Matroska demuxer with overly large chunks that merely results in std::terminate being called; the Matroska demux maintainer apologized, but, despite dire warnings from Secunia that it could be exploitable, it most certainly is not.

eldavojohn writes "The latest versions of Microsoft Windows have some good security options available — now if only they could get their most popular third-party applications to use them. A report from Secunia takes a look at two such options — DEP and ASLR — and Brian Krebs breaks down who is using them and who is not. A security specialist noted, 'If both DEP and ASLR are correctly deployed, the ease of exploit development decreases significantly. While most Microsoft applications take full advantage of DEP and ASLR, third-party applications have yet to fully adapt to the requirements of the two mechanisms (PDF). If we also consider the increasing number of vulnerabilities discovered in third-party applications, an attacker's choice for targeting a popular third-party application rather than a Microsoft product becomes very understandable.' Among those with neither DEP or ASLR: Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, and AOL's Winamp. While Flash player can't implement DEP, it does have ASLR. Google Chrome is the only popular third-party application listed with stars across the board." It's worth noting that several apps highlighted in the Secunia research paper have added support for those security options in recent patches, or are in the process of doing so. Examples include Firefox, VLC, and Foxit Reader.

Trailrunner7 writes "A month after an advisory was published detailing a new vulnerability in Firefox, Mozilla said it has received exploit code for the flaw and is planning to patch the weakness on March 30 in the next release of Firefox. Mozilla officials said Thursday that the vulnerability, which was disclosed February 18 by Secunia, is a critical flaw that could result in remote code execution on a vulnerable machine. The vulnerability is in version 3.6 of Firefox."

CWmike writes "The typical home user running Windows faces the 'unreasonable' task of patching software an average of every five days, security research company Secunia said on Thursday. 'It's completely unreasonable to expect users to master so many different patch mechanisms and spend so much time patching,' said Thomas Kristensen, the company's CSO. The result: Few consumers devote the time and attention necessary to stay atop the patching job, which leaves them open to attack. Secunia says that of the users who ran the company's Personal Software Inspector in the last week of January, half had 66 or more programs from 22 or more different vendors on their machines. ... Secunia has published a white paper (PDF) that details its findings."

The Register covers security firm Secunia calling out Adobe for its insecure distribution practices with regard to Adobe Reader. (Here is Secunia's note.) The accusation is that the way Adobe provides Reader extends the software's window of vulnerability once an exploit has begun to circulate. Version 9.1 of Reader, which is what you get when you visit the official download site, contains 10 vulnerabilities that were patched by later releases. "Adobe Systems has been taken to task for offering outdated software on its downloads page that contains dozens of security vulnerabilities, several of which are already being exploited in the wild... Visitors who obtain Adobe Reader from the company's official downloads page will find that it installs version 9.1 of the program on their computers, even though the most recent version was 9.1.2 at time of writing. That could put users at considerable peril given the number of vulnerabilities fixed in the two iterations that have come since 9.1, complains Secunia..."

CWmike writes "Attacks exploiting the latest Microsoft vulnerability are quickly ramping up in quantity and intensity, several security companies warned today as they rang alarms about the developing threat. Symantec, Sunbelt Software, and SANS' Internet Storm Center bumped up their warnings yesterday after Microsoft announced that attackers were exploiting a bug in an ActiveX control used by IE to display Excel spreadsheets. There is no patch for the vulnerability; Microsoft didn't release one in today's Patch Tuesday. A temporary fix that sets the 'kill bits' of the ActiveX control is available, but experts believe it's likely most users won't take advantage of the protection. Symantec raised its ThreatCon ranking to the second of four steps. "We're seeing it exploited, but currently on a limited scale," said Symantec's Ben Greenbaum. Sunbelt also bumped up its ranking, to high." Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.

recoiledsnake writes "The new Safari 3.1 for Windows has been hit with two 'highly critical'(as rated by Secunia) vulnerabilities that can result in execution of arbitrary code. The first is due to an improper handling of the buffer for long filenames of files being downloaded, and the second can result in successful spoofing of websites and phishing. This comes close on the heels of criticism of Apple for offering Safari as a update for approximately 500 million users of iTunes on Windows by default, and reports of crashes. There are currently no patches or workarounds available except the advice to stay clear of 'untrusted' sites." Further, Wormfan writes "The latest version of Safari for Windows makes a mockery of end user licensing agreements by only allowing the installation of Safari for Windows on Apple labeled hardware, thereby excluding most Windows PCs." Update: 03/27 17:23 GMT by Z : Dave Schroeder writes with the note that the license has been updated to correct this mistake.

An anonymous reader writes "From Computerworld today: 'Nearly all Windows computers are likely running at least one unpatched application and about four out of every ten contain 11 or more vulnerable-to-attack programs, a vulnerability tracking company said today.' The new data comes from Secunia's free security-patch scanner the Secunia's PSI. The complete data run-down is available here."

An anonymous reader writes "From Computerworld today: 'Nearly all Windows computers are likely running at least one unpatched application and about four out of every ten contain 11 or more vulnerable-to-attack programs, a vulnerability tracking company said today.' The new data comes from Secunia's free security-patch scanner the Secunia's PSI. The complete data run-down is available here."

An anonymous reader sends in word of a privilege escalation security issue identified in the open source Xen hypervisor. Xen has issued a hotfix and urged all users to install it. The problem was disclosed by Secunia last week. A user of a guest domain with root privileges could execute arbitrary commands in domain 0 via specially crafted entries in grub.conf when the guest system is booted.

First, Gypsy2012 writes with a highly critical security flaw involving both Firefox 2.0 and Internet Explorer, which could allow a malicious attacker to gain remote control of a user's system. It exploits the "firefoxurl://" URI handler. ... Next, reader dsinc sends word that the beta for Firefox 3 has slipped by 6 weeks. The new target date is September 18 at the earliest. The article wonders whether the final release will slip into 2008. ... Finally, reader jktowns points out new anti-phishing features in the latest nightly build of Firefox 3. One of them was added into the code base by the guy who developed the LocationBar² extension.

Juha-Matti Laurio writes in with news that the Web site of ASUSTeK Computer (asus.com) has been compromised to spread exploit code. The original report from Kaspersky Lab claimed that the compromise lead to code exploiting the recently patched Microsoft Windows Animated Cursor (.ANI) 0-day vulnerability, but sans.org found no evidence of this. Apparently a malicious iframe was added to one of the machines in asus.com's DNS round-robin.

MoreDruid writes "Secunia reports a vulnerability in Windows Animated Cursor Handling. According to the linked article, the rating is "extremely critical". Microsoft has put up their own advisory on the subject, confirming this is a vulnerability that affects Windows 2000, XP, 2003 and Vista. The exploit has already been used in the wild. From the Secunia page: The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message. Successful exploitation allows execution of arbitrary code."

Jimmy T writes "Microsoft and Secunia are warning about the discovery of a new 'Zero-day' vulnerability affecting all Microsoft based operating systems except Windows 2003. Both companies states that the vulnerability is currently being exploited by malicious websites. One attack vector is through Internet Explorer 6/7 — so be aware where you surf to."

grandgator writes, "Hyped by a good deal of fanfare, outfitted with some new features, and now available for download, Firefox 2.0 has already passed 2 million downloads in less than 24 hours. However, a growing number of users are reporting bugs, widening memory leaks, unexpected instability, poor compatibility, and an overall experience that is inferior to that offered by prior versions of the browser. Expanding on these ideas, this list compiles nine reasons why it might be a good idea to stick with 1.5 until the debut of 3.0, skipping the "poorly badged" 2.0 release completely." OK, maybe it's 10 reasons. An anonymous reader writes, "SecurityFocus reports an unpatched highly critical vulnerability in Firefox 2.0. This defect has been known since June 2006 but no patch has yet been made available. The developers claimed to have fixed the problem in 1.5.0.5 according to Secunia, but the problem still exists in 2.0 according to SecurityFocus (and I have witnessed the crash personally). If security is the main reason users should switch to Firefox, how do we explain known vulnerabilities remaining unpatched across major releases?"
Update: 10/30 12:57 GMT by KD : Jesse Ruderman wrote in with this correction. "The article claims that Firefox 2 shipped with a known security hole This is incorrect; the hole is fixed in both Firefox 1.5.0.7 and Firefox 2. The source of the confusion is that the original version of this report demonstrated two crash bugs, one of which was a security hole and the other of which was just a too-much-recursion crash. The security hole has been fixed but we're still trying to figure out the best way to fix the too-much-recursion crash. The report has been updated to clear up the confusion."

We got lots and lots of questions for Dean Hachamovitch, whose formal title is "general manager Internet Explorer at Microsoft Corp." Picking a mere 10 of those questions was not easy, and I wish Dean could have answered twice as many -- and so does he, but his schedule has been tight this week. Anyway, here are his answers to the Chosen Ten. 1) How about this...
by also-rr

Would you like to make available IE on other operating systems?

Dean Hachamovitch:

We did make versions of IE available on other operating system for a pretty long time, up through IE5 on Unix and the Mac. At the time we developed them, those offerings made sense. I don't see a good reason to make IE available on other operating systems at this time.

2) IE7 release time
by BeeBeard Why did IE7 take such a long time to release after IE6?



Dean Hachamovitch:

Basically because we were doing a lot of other things before we started work on IE7: a few releases of MSN Explorer, a lot of work on what turned out to be Windows Presentation Foundation, a lot of investment in what turned into IPv6 support in Windows Vista, and lot of security response, a pretty intense effort on Windows Server 2003 (and IE's "Enhanced Security Configuration"), and then a pretty intense effort on Windows XPSP2. You can read a more detailed answer here

3) Follow up
by LordEd

If you had more time, is there a new feature you would have liked to include in IE7?

Dean Hachamovitch:

Yes, several come to mind. None were more important than shipping. None were more important than the bug fix work we did in response to beta feedback.

The temptation to get "just one more feature in" is so strong... one more CSS fix, one more neat facility for developers, one more performance optimization, one more cool end-user feature. The thing that made it easier to resist the temptation and ship is the prototype and planning work we've started on the next release of IE.

4) Simple questions
by Billosaur

IE has a dominating command of the market, although Firefox is slowly making inroads, due to innovations such as tabbed browsing that IE has had to incorporate to maintain that command. But where are the IE innovations? Why can't the IE team get ahead of the curve on Firefox? Is there anything you consider an innovation that is unique to IE that would plausibly be something the browser market would have to incorporate to stay competitive?

Dean Hachamovitch:

I think IE7 is the first browser with integrated real-time anti-phishing functionality, with an RSS platform and support for Simple List Extensions (see below), with "QuickTabs," with support for OpenSearch, and with shrink-to-fit printing on by default. In Windows Vista with Protected Mode, IE7 is the first browser to "put itself into a sandbox" and run with low privileges.

I think that during the IE7 beta process, you've seen other browser vendors copy some of these features and/or deliver add-ons for others. (IE has also delivered some functionality - like spell-checking in forms or in-line find, as add-ons; you can read more here.

I want to call out the Phishing Filter and RSS in particular. I think there's a clear difference between the protection offered in IE7 and other places. I suggest readers look here and here and decide for themselves. I was surprised when I read this because I think IE7 delivers real-time protection that respects user privacy at the same time.

I think IE7's RSS is pretty deep. First, the support for the Simple List Extensions that we made available under a Creative Commons license is cool - check out the links below in IE7. Also, the platform enables developers to deliver on some great scenarios, like sharing subscription information between different applications and services easily (from the new version of Outlook 2007 I run at work to IE7 at home via Newsgator). You can read more about that here.

- Amazon Wish List as an RSS feed

- eBay Search Result as an RSS feed

- Yahoo Music Top 10 list as an RSS feed

In regards to tabs, according to http://en.wikipedia.org/wiki/Tabbed_browsing, NetCaptor (an IE-based browser) was first.

5) My shot
by Njovich

What do you consider the greatest weakness of Firefox?

Dean Hachamovitch:

Hey, I've met a bunch of the Firefox folks and respect them and am not about to say mean things about them or their product, period. I have started to see some things that even some Slashdotters find a little confusing, like the whole Iceweasel thing.

6) Security
by Seto89

One of IE7's revolutionary features was supposed to be security, although it took less than 24 hours for Secunia to post an advisory about a security hole. Moreover, the bug seemed to be carried over from as early as IE5.5. What approach did you take to improve browser's security, and how come the vulnerabilities have been carried over?

Dean Hachamovitch:

The overall approach we took is called the secure development lifecycle. You can read more about it in general at http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp and http://www.microsoft.com/MSPress/books/8753.asp. The very short version is that we stepped back to analyze all the ways to attack a browser and then figured out the best ways to defend in depth against attacks. We reduced attack surface area, for example, turning off several feature and protocols by default and with ActiveX opt-in. We re-wrote a lot of the URL handling code in our networking layer. We ran a lot of tools against the source code to look for vulnerabilities. We listened to feedback from lots of smart people who are skilled in the art of attack.

As anyone who reads SecurityFocus or FullDisclosure will tell you, security is an industry problem and innovation in attacks is ongoing.

The MHTML issue is pretty interesting. IE calls another Windows component to handle some MTHML functionality. That component has a vulnerability. The important things here are (1) a malicious site can steal user data and (2) of course Microsoft cares about privacy and will fix this issue promptly. Some of the blogs over at zdnet - in particular George Ou's and Ed Bott's, have had some balanced opinion pieces on this issue.

While I was writing this, someone disclosed another issue irresponsibly. On the one hand, it's minor (a malicious site can make the address bar, when it's selected and in a pop-up window, deceiving... clicking in the pop-up window addresses the issue) and our anti-phishing technology helps a lot. The MSRC blog has more detail. At the same time, an attacker could draw a fake or misleading address bar in a pop-up window in a browser that doesn't automatically show the address bar in every window. Again, I think all this shows is that innovation in attacks is ongoing.

7) How about this....
by Toreo asesino

Let's pretend for a moment that Internet Explorer isn't the default web-browser built into Windows and instead, users are presented with a choice on first login (e.g. a message asking 'How would you like to browse the internet? MSIE, Firefox, Opera').

Would you expect IE to become as dominant as it is now if users had to specifically choose it over another?

Ignoring the slight impracticalities, if so (I'm guessing you do), on what basis would this be?

Dean Hachamovitch:

OK, I'll pretend. My first question is when we ask users this question... if it's in 1995, then Opera isn't on the list (Wikipedia just told me that its first public release was in 1996) and neither is Firefox. If it's today, then, candidly, we have 10+ years of people seeing the IE icon and all that that means to them.

The funny thing about your question is that in some ways, users are about two clicks from this scenario every time they run Windows XP: from the Start menu, select Set Program Access and Defaults. And it's not limited to the browsers you list, but any browser that they can download.

To answer your core question: I don't know how people would answer that question. I think we've asked users far simpler ones (like setup programs that ask "Do you want a typical or custom software installation?") that have proven frustrating to them. I do blog searches just about every day to read what people are saying about their browser choice, the browser I work on, and the other browsers you list. While it may surprise you, for many users, the differences between today's browsers aren't as clear and obvious as they may seem to many in the Slashdot crowd. I've read a lot of posts that say, "I tried IE7, I'm pleasantly surprised, and I'm switching back." (I read a lot of others for sure.) For some folks, having professional technical support to contact makes all the difference in their browser choice. During a press interview with a technical trade journal recently I asked the reporter "So what do you browse with" and he said "Mostly IE6, sometimes Firefox 1.5." That might surprise some of you.

8) Allowing Developers to Test for Compatibility
by miyako

IE7, like IE6, renders a lot of pages significantly differently than the other main HTML rendering engines available (Geko, KHTML, and Opera). At the same time, IE7 requires WGA to run - so that applications like Wine are unable to run it. This means that web developers who are using Linux and Mac OS X will have an extremely difficult time testing their sites with IE7. Was this intentional? If so what was the reason behind it (do you want to force developers to move to Windows for web development, or simply set IE aside as something different that isn't a regular browser and must be specifically developed for), and if not how do you plan to rectify the situation?

Dean Hachamovitch:

I think the core of your question is about giving away Windows licenses for free. We love developers, period. We're also not about to give away Windows client licenses. Because we want end-users to have a great experience on the web, of course we want web developers to have an easy experience working with IE and testing their sites with IE. That's why we published tools like the web developer toolbar and the Application Compatibility Toolkit and so much documentation during the course of IE7 development. I also respect that - as hard as everyone at Microsoft works to make Windows the best operating system for developers run - some developers will choose to run others. Mac developers have a fine solution - I've talked with hardcore Mac people who bought a copy of Windows that they run on their Mac with Parallels to test their work in IE. For other developers, I've seen some very clever solutions like BrowserCam that should help.

9) I asked Hakon about CSS and now I ask you:
by Chabil Ha'

This past summer Håkon Wium Lie was interviewed on /. and my question was selected concerning IE7's glaring lack of full CSS support. Why is it that MS has avoided meeting at least the ACID2 spec for CSS in order to bring some semblance of comformity for developers?

Håkon Wium Lie's response to these questions is boiled down to the fact that you do have the talent and resources to fix these issues and he says that "the fundamental reason, I believe, is that standards don't benefit monopolists" like MS.

How do you respond to his comments (the author of the CSS spec) and does MS have any near future plans to adhere to the existing CSS standard? If not, what would it take for MS to take a more proactive role in supporting it?

Dean Hachamovitch:

During IE7's development, we prioritized the work we did based on the web development community's real-world feedback. The engineering exercise here was choosing the best work for a finite number of developers to do during a finite period of time, especially given the compatibility impact of changing how IE behaves. The work that we delivered in IE7 simply has more positive impact and makes web developers' jobs easier than making an arbitrary (if terribly clever) web page render the way its author intended.

The Acid 2 test explicitly states that it isn't part of a formal compliance suite and it is not a "spec for CSS." It's a suite of tests of HTML, CSS, PNG, and data URL features that Mr. Lie thought were important. I'm glad that Mr. Lie - who is one of the authors of the CSS specifications - acknowledges that Microsoft's developers have the talent to address these issues.

The question here isn't whether we want to support those features or if we understand that web developers want them (we do), but simply prioritization. We focused on web developers' real world problems.

The real goal here is interoperability - something that Microsoft product teams believe in (remember, Microsoft has more than one product that works with HTML, CSS, and other web standards, and they have to interoperate too) and something that benefits customers (end-users, developers, IT Pros, et al.) across the board. The work in Windows Vista around IPv6 as well as the work we've done in IE7 with OpenSearch, RSS and with Certificate Authorities and other browser vendors on Extended Validation certificates are good examples of following through on that belief in interoperability.

Your question also asks about Microsoft's plans to comply with the existing CSS standard; there are actually several CSS standards, some still under construction (CSS level 3) and some made obsolete over time (e.g. CSS 2.1 fixing errors, removing ambiguities and changing required behavior from CSS 2). Just as we did in IE7, we're going to listen to the web development community and prioritize the remaining CSS work and deliver the parts we hear are most important first. We do intend to comply with the standard; no other browser I'm aware of has complete support of every feature in CSS 2.1, so it's clear that we all have to use prioritization to know where best to place our resources.

10) Why develop IE at all
by CmdrGravy

Given that you are not planning on selling IE 7 and the fact that there are already other browsers on the market which can allow Windows users to experience the web fully why is Microsoft investing so much time and effort in continuing the development of IE?

Dean Hachamovitch:

Windows customers expect the best, safest experience with their PCs out of the box, especially around the web browser. We're investing so much time and effort in IE in order to give Windows customers a great, secure, default experience. I'm glad that users can choose other browsers as they see fit - Windows is a platform. We're working this hard on IE because so many end-users rely on it and so many developers have built on the APIs that IE exposes as a part of the Windows platform.

-------

Editor's note: Next week's Slashdot interview guest will be a FireFox person. Only fair, right? :)

We got lots and lots of questions for Dean Hachamovitch, whose formal title is "general manager Internet Explorer at Microsoft Corp." Picking a mere 10 of those questions was not easy, and I wish Dean could have answered twice as many -- and so does he, but his schedule has been tight this week. Anyway, here are his answers to the Chosen Ten. 1) How about this...
by also-rr

Would you like to make available IE on other operating systems?

Dean Hachamovitch:

We did make versions of IE available on other operating system for a pretty long time, up through IE5 on Unix and the Mac. At the time we developed them, those offerings made sense. I don't see a good reason to make IE available on other operating systems at this time.

2) IE7 release time
by BeeBeard Why did IE7 take such a long time to release after IE6?



Dean Hachamovitch:

Basically because we were doing a lot of other things before we started work on IE7: a few releases of MSN Explorer, a lot of work on what turned out to be Windows Presentation Foundation, a lot of investment in what turned into IPv6 support in Windows Vista, and lot of security response, a pretty intense effort on Windows Server 2003 (and IE's "Enhanced Security Configuration"), and then a pretty intense effort on Windows XPSP2. You can read a more detailed answer here

3) Follow up
by LordEd

If you had more time, is there a new feature you would have liked to include in IE7?

Dean Hachamovitch:

Yes, several come to mind. None were more important than shipping. None were more important than the bug fix work we did in response to beta feedback.

The temptation to get "just one more feature in" is so strong... one more CSS fix, one more neat facility for developers, one more performance optimization, one more cool end-user feature. The thing that made it easier to resist the temptation and ship is the prototype and planning work we've started on the next release of IE.

4) Simple questions
by Billosaur

IE has a dominating command of the market, although Firefox is slowly making inroads, due to innovations such as tabbed browsing that IE has had to incorporate to maintain that command. But where are the IE innovations? Why can't the IE team get ahead of the curve on Firefox? Is there anything you consider an innovation that is unique to IE that would plausibly be something the browser market would have to incorporate to stay competitive?

Dean Hachamovitch:

I think IE7 is the first browser with integrated real-time anti-phishing functionality, with an RSS platform and support for Simple List Extensions (see below), with "QuickTabs," with support for OpenSearch, and with shrink-to-fit printing on by default. In Windows Vista with Protected Mode, IE7 is the first browser to "put itself into a sandbox" and run with low privileges.

I think that during the IE7 beta process, you've seen other browser vendors copy some of these features and/or deliver add-ons for others. (IE has also delivered some functionality - like spell-checking in forms or in-line find, as add-ons; you can read more here.

I want to call out the Phishing Filter and RSS in particular. I think there's a clear difference between the protection offered in IE7 and other places. I suggest readers look here and here and decide for themselves. I was surprised when I read this because I think IE7 delivers real-time protection that respects user privacy at the same time.

I think IE7's RSS is pretty deep. First, the support for the Simple List Extensions that we made available under a Creative Commons license is cool - check out the links below in IE7. Also, the platform enables developers to deliver on some great scenarios, like sharing subscription information between different applications and services easily (from the new version of Outlook 2007 I run at work to IE7 at home via Newsgator). You can read more about that here.

- Amazon Wish List as an RSS feed

- eBay Search Result as an RSS feed

- Yahoo Music Top 10 list as an RSS feed

In regards to tabs, according to http://en.wikipedia.org/wiki/Tabbed_browsing, NetCaptor (an IE-based browser) was first.

5) My shot
by Njovich

What do you consider the greatest weakness of Firefox?

Dean Hachamovitch:

Hey, I've met a bunch of the Firefox folks and respect them and am not about to say mean things about them or their product, period. I have started to see some things that even some Slashdotters find a little confusing, like the whole Iceweasel thing.

6) Security
by Seto89

One of IE7's revolutionary features was supposed to be security, although it took less than 24 hours for Secunia to post an advisory about a security hole. Moreover, the bug seemed to be carried over from as early as IE5.5. What approach did you take to improve browser's security, and how come the vulnerabilities have been carried over?

Dean Hachamovitch:

The overall approach we took is called the secure development lifecycle. You can read more about it in general at http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp and http://www.microsoft.com/MSPress/books/8753.asp. The very short version is that we stepped back to analyze all the ways to attack a browser and then figured out the best ways to defend in depth against attacks. We reduced attack surface area, for example, turning off several feature and protocols by default and with ActiveX opt-in. We re-wrote a lot of the URL handling code in our networking layer. We ran a lot of tools against the source code to look for vulnerabilities. We listened to feedback from lots of smart people who are skilled in the art of attack.

As anyone who reads SecurityFocus or FullDisclosure will tell you, security is an industry problem and innovation in attacks is ongoing.

The MHTML issue is pretty interesting. IE calls another Windows component to handle some MTHML functionality. That component has a vulnerability. The important things here are (1) a malicious site can steal user data and (2) of course Microsoft cares about privacy and will fix this issue promptly. Some of the blogs over at zdnet - in particular George Ou's and Ed Bott's, have had some balanced opinion pieces on this issue.

While I was writing this, someone disclosed another issue irresponsibly. On the one hand, it's minor (a malicious site can make the address bar, when it's selected and in a pop-up window, deceiving... clicking in the pop-up window addresses the issue) and our anti-phishing technology helps a lot. The MSRC blog has more detail. At the same time, an attacker could draw a fake or misleading address bar in a pop-up window in a browser that doesn't automatically show the address bar in every window. Again, I think all this shows is that innovation in attacks is ongoing.

7) How about this....
by Toreo asesino

Let's pretend for a moment that Internet Explorer isn't the default web-browser built into Windows and instead, users are presented with a choice on first login (e.g. a message asking 'How would you like to browse the internet? MSIE, Firefox, Opera').

Would you expect IE to become as dominant as it is now if users had to specifically choose it over another?

Ignoring the slight impracticalities, if so (I'm guessing you do), on what basis would this be?

Dean Hachamovitch:

OK, I'll pretend. My first question is when we ask users this question... if it's in 1995, then Opera isn't on the list (Wikipedia just told me that its first public release was in 1996) and neither is Firefox. If it's today, then, candidly, we have 10+ years of people seeing the IE icon and all that that means to them.

The funny thing about your question is that in some ways, users are about two clicks from this scenario every time they run Windows XP: from the Start menu, select Set Program Access and Defaults. And it's not limited to the browsers you list, but any browser that they can download.

To answer your core question: I don't know how people would answer that question. I think we've asked users far simpler ones (like setup programs that ask "Do you want a typical or custom software installation?") that have proven frustrating to them. I do blog searches just about every day to read what people are saying about their browser choice, the browser I work on, and the other browsers you list. While it may surprise you, for many users, the differences between today's browsers aren't as clear and obvious as they may seem to many in the Slashdot crowd. I've read a lot of posts that say, "I tried IE7, I'm pleasantly surprised, and I'm switching back." (I read a lot of others for sure.) For some folks, having professional technical support to contact makes all the difference in their browser choice. During a press interview with a technical trade journal recently I asked the reporter "So what do you browse with" and he said "Mostly IE6, sometimes Firefox 1.5." That might surprise some of you.

8) Allowing Developers to Test for Compatibility
by miyako

IE7, like IE6, renders a lot of pages significantly differently than the other main HTML rendering engines available (Geko, KHTML, and Opera). At the same time, IE7 requires WGA to run - so that applications like Wine are unable to run it. This means that web developers who are using Linux and Mac OS X will have an extremely difficult time testing their sites with IE7. Was this intentional? If so what was the reason behind it (do you want to force developers to move to Windows for web development, or simply set IE aside as something different that isn't a regular browser and must be specifically developed for), and if not how do you plan to rectify the situation?

Dean Hachamovitch:

I think the core of your question is about giving away Windows licenses for free. We love developers, period. We're also not about to give away Windows client licenses. Because we want end-users to have a great experience on the web, of course we want web developers to have an easy experience working with IE and testing their sites with IE. That's why we published tools like the web developer toolbar and the Application Compatibility Toolkit and so much documentation during the course of IE7 development. I also respect that - as hard as everyone at Microsoft works to make Windows the best operating system for developers run - some developers will choose to run others. Mac developers have a fine solution - I've talked with hardcore Mac people who bought a copy of Windows that they run on their Mac with Parallels to test their work in IE. For other developers, I've seen some very clever solutions like BrowserCam that should help.

9) I asked Hakon about CSS and now I ask you:
by Chabil Ha'

This past summer Håkon Wium Lie was interviewed on /. and my question was selected concerning IE7's glaring lack of full CSS support. Why is it that MS has avoided meeting at least the ACID2 spec for CSS in order to bring some semblance of comformity for developers?

Håkon Wium Lie's response to these questions is boiled down to the fact that you do have the talent and resources to fix these issues and he says that "the fundamental reason, I believe, is that standards don't benefit monopolists" like MS.

How do you respond to his comments (the author of the CSS spec) and does MS have any near future plans to adhere to the existing CSS standard? If not, what would it take for MS to take a more proactive role in supporting it?

Dean Hachamovitch:

During IE7's development, we prioritized the work we did based on the web development community's real-world feedback. The engineering exercise here was choosing the best work for a finite number of developers to do during a finite period of time, especially given the compatibility impact of changing how IE behaves. The work that we delivered in IE7 simply has more positive impact and makes web developers' jobs easier than making an arbitrary (if terribly clever) web page render the way its author intended.

The Acid 2 test explicitly states that it isn't part of a formal compliance suite and it is not a "spec for CSS." It's a suite of tests of HTML, CSS, PNG, and data URL features that Mr. Lie thought were important. I'm glad that Mr. Lie - who is one of the authors of the CSS specifications - acknowledges that Microsoft's developers have the talent to address these issues.

The question here isn't whether we want to support those features or if we understand that web developers want them (we do), but simply prioritization. We focused on web developers' real world problems.

The real goal here is interoperability - something that Microsoft product teams believe in (remember, Microsoft has more than one product that works with HTML, CSS, and other web standards, and they have to interoperate too) and something that benefits customers (end-users, developers, IT Pros, et al.) across the board. The work in Windows Vista around IPv6 as well as the work we've done in IE7 with OpenSearch, RSS and with Certificate Authorities and other browser vendors on Extended Validation certificates are good examples of following through on that belief in interoperability.

Your question also asks about Microsoft's plans to comply with the existing CSS standard; there are actually several CSS standards, some still under construction (CSS level 3) and some made obsolete over time (e.g. CSS 2.1 fixing errors, removing ambiguities and changing required behavior from CSS 2). Just as we did in IE7, we're going to listen to the web development community and prioritize the remaining CSS work and deliver the parts we hear are most important first. We do intend to comply with the standard; no other browser I'm aware of has complete support of every feature in CSS 2.1, so it's clear that we all have to use prioritization to know where best to place our resources.

10) Why develop IE at all
by CmdrGravy

Given that you are not planning on selling IE 7 and the fact that there are already other browsers on the market which can allow Windows users to experience the web fully why is Microsoft investing so much time and effort in continuing the development of IE?

Dean Hachamovitch:

Windows customers expect the best, safest experience with their PCs out of the box, especially around the web browser. We're investing so much time and effort in IE in order to give Windows customers a great, secure, default experience. I'm glad that users can choose other browsers as they see fit - Windows is a platform. We're working this hard on IE because so many end-users rely on it and so many developers have built on the APIs that IE exposes as a part of the Windows platform.

-------

Editor's note: Next week's Slashdot interview guest will be a FireFox person. Only fair, right? :)

slidersv writes "Not 24 hours after the release of IE7, Secunia reports Internet Explorer Arbitrary Content Disclosure Vulnerability. So much for the "you wanted it easier and more secure" slogan found on Microsoft's IE Website."

PC World is reporting that two days ago hackers posted code for a new vulnerability in Internet Explorer that could allow drive-by takeover of a vulnerable PC. Security companies say that no exploits using the "daxctle" vulnerability have yet been found in the wild, but they are taking the new threat seriously. Symantec calls the bug "critical" and Secunia rates it highly critical, the most severe rating. The hackers who posted the sample code, xsec.org, refer to it as a "0day" exploit. The article quotes another security expert who calls this label "a stretch." Update: 09/17 18:00 GMT by C :Fixed link to XSec. Thanks for pointing that one out, folks.

Juha-Matti Laurio writes "Several vulnerabilities are fixed in version Firefox 1.5.0.2, which was released on Thursday. In addition to security patches Firefox now includes some stability enhancements and, as expected, includes native support for Apple Computer's Macs with Intel processors. Secunia has a detailed advisory about vulnerabilities fixed with this release."

JimmyM writes "Secunia reports on a new vulnerability in Internet Explorer. From the piece: 'This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.' According to several (german) media outlets this is already being exploited by phishing sites. Secunia has a test you can try to see if you are vulnerable."

JimmyM writes "Secunia reports on a new vulnerability in Internet Explorer. From the piece: 'This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.' According to several (german) media outlets this is already being exploited by phishing sites. Secunia has a test you can try to see if you are vulnerable."

dotpavan writes "Eweek reports on a highly critical MS Internet Explorer hole found by Secunia Research's Andreas Sandblad. The vulnerability is due to the processing of the "createTextRange()" method call applied on a radio button control. From Secunia, "The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2." The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition) though it could be avoided by turning off Active Scripting, as suggested by Microsoft Security Response Center blog. How would this put MS in the market, hit by the ever-growing shots of vulnerabilties? And would the divorce of IE7 from Vista's Windows Explorer help?"

An anonymous reader writes "Macworld is reporting about a new security hole in Mac OS X that can be exploited to compromise a system if the user simply visits a web site with Safari. Currently, no vendor patch is available. Secunia has a demonstration of the vulnerability and suggestions for temporary workarounds."

An anonymous reader writes "Macworld is reporting about a new security hole in Mac OS X that can be exploited to compromise a system if the user simply visits a web site with Safari. Currently, no vendor patch is available. Secunia has a demonstration of the vulnerability and suggestions for temporary workarounds."

Durinthal writes "The biggest blip on the security radar over the Thanksgiving holiday was the realization by the security community that an Internet Explorer problem first identified six months ago was a lot worse than it appeared, as what appeared to be only a DoS vulnerability also allows for execution of arbitrary code. The realization caused Secunia to issue a rare 'Extremely Critical' advisory."

Juha-Matti Laurio writes "MozillaZine has a report about new Mozilla Thunderbird 1.0.7 release. Among other changes, this minor release includes fixes for the Linux command line URL parsing security flaw. Thunderbird 1.0.7 can be downloaded from the Thunderbird product page. 'Extremely Critical' Secunia advisory will be updated very soon."

Sotos wrote to mention a C|Net article discussing a new spoof-based attack on Internet Explorer. From the article: " The problem lies in the way Microsoft has implemented a JavaScript component in its Web browser, security researcher Amit Klein wrote in a research document. Internet Explorer does not validate some data fields provided by a PC when the component, called XmlHttpRequest, is used, he wrote. The vulnerability could be exploited with specially crafted code. An attacker could spoof a legitimate Web site, access data from the Web browser's cache or stage a so-called man-in-the-middle attack, which taps into traffic between a user and another Web site, according to Klein's write-up. " Secunia has an alert up on the spoof.

GregThePaladin writes "A 7-year-old flaw that could let an attacker place malicious content on trusted Web sites has resurfaced in the most recent Firefox browser, Secunia has warned. The flaw, which also affects some other Mozilla Foundation programs, lies in the way the software handles frames. The applications don't check whether the frames displayed in a single window all originate from the same Web site." Commentary on this at whitedust as well.

GregThePaladin writes "A 7-year-old flaw that could let an attacker place malicious content on trusted Web sites has resurfaced in the most recent Firefox browser, Secunia has warned. The flaw, which also affects some other Mozilla Foundation programs, lies in the way the software handles frames. The applications don't check whether the frames displayed in a single window all originate from the same Web site." Commentary on this at whitedust as well.

Jameson writes "Apple has released a new iTunes version to correct a security vulnerability reported by Mark Litchfield. FrSIRT and Secunia marked the flaw as "critical", because it can be exploited by malicious people to compromise a user's system via maliciously-crafted MPEG4 file. iTunes 4.8 addresses this issue by improving the validation checks used when loading MPEG4 files."

JimmyM writes "Secunia has a story regarding a new severe vulnerability in the Mozilla Suite and Firefox browser, which can be exploited by any web site to read all memory, which the browser process has access to. No patch is available from Mozilla. A demonstration is available here."

JimmyM writes "Secunia has a story regarding a new severe vulnerability in the Mozilla Suite and Firefox browser, which can be exploited by any web site to read all memory, which the browser process has access to. No patch is available from Mozilla. A demonstration is available here."

JimmyM writes "Secunia has a story regarding a new severe vulnerability in the Mozilla Suite and Firefox browser, which can be exploited by any web site to read all memory, which the browser process has access to. No patch is available from Mozilla. A demonstration is available here."

Kip Winger writes "Mike Nash, Microsoft's Chief Security Executive, has made claims that Windows is more secure than Linux. In a recent online chat, he staunchly defended Microsoft's record on security, basing part of his argument on how Windows Server 2003's 15 patches in the past year are far less than what RedHat or SuSE have had to endure." He also mentioned the recent purchase of Sybari and their Antivirus product.

Kip Winger writes "Mike Nash, Microsoft's Chief Security Executive, has made claims that Windows is more secure than Linux. In a recent online chat, he staunchly defended Microsoft's record on security, basing part of his argument on how Windows Server 2003's 15 patches in the past year are far less than what RedHat or SuSE have had to endure." He also mentioned the recent purchase of Sybari and their Antivirus product.

Kip Winger writes "Mike Nash, Microsoft's Chief Security Executive, has made claims that Windows is more secure than Linux. In a recent online chat, he staunchly defended Microsoft's record on security, basing part of his argument on how Windows Server 2003's 15 patches in the past year are far less than what RedHat or SuSE have had to endure." He also mentioned the recent purchase of Sybari and their Antivirus product.

Jimmy M writes "Microsoft has released three security bulletins for January, which correct vulnerabilities in the handling of Icon and Cursor files, Indexing Services, and HTML Help. Bulletin MS05-001 (HTML Help) is the Extremely Critical vulnerability (Demonstration) that Secunia warned about last week - nice to see a quick move from MS. All updates are available from Windows Update."

Jimmy M writes "Microsoft has released three security bulletins for January, which correct vulnerabilities in the handling of Icon and Cursor files, Indexing Services, and HTML Help. Bulletin MS05-001 (HTML Help) is the Extremely Critical vulnerability (Demonstration) that Secunia warned about last week - nice to see a quick move from MS. All updates are available from Windows Update."

Spad writes "Secunia is reporting on three vulnerabilities in IE6 running on XP SP2. Any of these, in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files, can be exploited to compromise a user's system. Moreover, the vulnerability can be used to delete files from the user's system. Secunia says 'Solution: Use another product.'"

paulius_g writes "SecurityFocus has released a security warning with three problems that affect Mozilla on all platforms. The first issue allows the source of a download to be spoofed, generating a fake URL. This security issue is really easy to replicate: Create a long URL and the downloading box will only display its ending (Mozilla and Firefox). The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0). The third exploit affects machines with multiple users. The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird). Let's hope that these will be fixed soon!"

Jimmy M. writes "A new vulnerability has been announced in Internet Explorer, also affecting XP SP2, which can very easily be exploited by a malicious web site to completely spoof the address bar. The vulnerability is very similar to another vulnerability disclosed just about a year ago called the '%00' vulnerability, which also was widely exploited by phishers. A demonstration is also available."

Jimmy M. writes "A new vulnerability has been announced in Internet Explorer, also affecting XP SP2, which can very easily be exploited by a malicious web site to completely spoof the address bar. The vulnerability is very similar to another vulnerability disclosed just about a year ago called the '%00' vulnerability, which also was widely exploited by phishers. A demonstration is also available."

Jimmy writes "Secunia is reported about a new vulnerability, which affects all browsers. It allows a malicious web site to "hi-jack" pop-up windows, which could have been opened by e.g. a your bank or an online shop. Here is a demonstration of the vulnerability"

Jimmy writes "Secunia is reported about a new vulnerability, which affects all browsers. It allows a malicious web site to "hi-jack" pop-up windows, which could have been opened by e.g. a your bank or an online shop. Here is a demonstration of the vulnerability"

An anonymous reader writes "All browsers have been reported vulnerable to different vulnerabilities today. Starting with: Internet Explorer on XP SP1/SP2, which suffers a new system compromise (of course) vulnerability. Continuing with: Opera, Mozilla / Mozilla Firefox / Camino, Safari, Netscape, Konqueror, Avant Browser and Maxthon, which all suffers some new spoofing vulnerabilitities. Demonstrations of the spoofing vulnerabilities are available here and here."

An anonymous reader writes "All browsers have been reported vulnerable to different vulnerabilities today. Starting with: Internet Explorer on XP SP1/SP2, which suffers a new system compromise (of course) vulnerability. Continuing with: Opera, Mozilla / Mozilla Firefox / Camino, Safari, Netscape, Konqueror, Avant Browser and Maxthon, which all suffers some new spoofing vulnerabilitities. Demonstrations of the spoofing vulnerabilities are available here and here."