Slashdot Mirror

← Back to Stories (view on slashdot.org)

Highly Critical Hole Found in IE

Posted by ryuzaki0 on from the must-be-thursday dept.

dotpavan writes "Eweek reports on a highly critical MS Internet Explorer hole found by Secunia Research's Andreas Sandblad. The vulnerability is due to the processing of the "createTextRange()" method call applied on a radio button control. From Secunia, "The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2." The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition) though it could be avoided by turning off Active Scripting, as suggested by Microsoft Security Response Center blog. How would this put MS in the market, hit by the ever-growing shots of vulnerabilties? And would the divorce of IE7 from Vista's Windows Explorer help?"

3 of 336 comments (clear)

  1. Re:How does this fare with previous statements? by ThinkFr33ly · · Score: 0, Flamebait

    Actually, IE 7 in Vista would have been safe from this issue.

    See: http://it.slashdot.org/comments.pl?sid=181121&cid= 14982748

  2. Re:Wrong Analogy by cosinezero · · Score: 0, Flamebait

    By hiding the exploit and announcement, it is more akin to denying that the illness exists at all and therefore they will be safer.

    -->Wrong.

    The best course of action, bar none, is to quietly notify the company and let them patch it.

    You gain nothing but bragging points by notifying the public of the details of an exploit before a patch is released, unless there is some drastic action they can take to protect themselves that they shouldn't already be taking from other exploits.

    The ONLY other answer here is to announce that you've -found- an exploit, give details on how to protect yourself against it, but do not provide details on how to use the exploit.

    Providing details on using the exploit is just plain endangering all of us. Advertising it here doubly so.

  3. In other news... by myz24 · · Score: 0, Flamebait

    a remote root exploit was found in Sendmail. You can bet everyone will praise how open source programmers find and fix these problems so quickly, but will say Microsoft sucks because that's how it's done around here. I'm gradually growing more tired of the OSS community because they continue to give Microsoft grief despite the fact that they are improving their product lines. Windows Server 2003 and many of the server products released after Server 2003 are pretty decent, much better than the old NT4 and Windows 2000 Server. If you haven't *actually* used these products and know what you're doing then you simply aren't qualified to say otherwise, things are better.

    Also, when Microsoft announced they would be concentrating on security everyone assumed that meant everything they had at that moment was instantly more secure. Like a failing car company (ie, GM) it takes years for new products to get to market with all the promised improvements. I think Vista will finally contain the real work towards their effort to be more secure.