Slashdot Mirror

← Back to Stories (view on slashdot.org)

Highly Critical Hole Found in IE

Posted by ryuzaki0 on from the must-be-thursday dept.

dotpavan writes "Eweek reports on a highly critical MS Internet Explorer hole found by Secunia Research's Andreas Sandblad. The vulnerability is due to the processing of the "createTextRange()" method call applied on a radio button control. From Secunia, "The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2." The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition) though it could be avoided by turning off Active Scripting, as suggested by Microsoft Security Response Center blog. How would this put MS in the market, hit by the ever-growing shots of vulnerabilties? And would the divorce of IE7 from Vista's Windows Explorer help?"

8 of 336 comments (clear)

  1. Patch available by thrillseeker · · Score: 5, Funny

    here

    1. Re:Patch available by Stellian · · Score: 5, Insightful

      Mozilla has bugs to. Lots of them. The difference, however is the time it takes to patch them.
      Folks like Secunia can profit only when the patch takes a long time to develop. As long as it is a secret vulnerability, it has value. This vulnerability is the perfect example: MS was notified about this on 13/02/2006, 40 days ago. They had all the opportunity to fix it in this month's security patch, but thy did not. So the patch will come no earlier than 2 months after discovery - that's a huge window of exposure.
      It was only when I have rediscovered the bug, and posted an inquiry about it on the Full Disclosure mailing list, that Secunia rushed to finally publish the advisory. I must note that I did not develop the exploit independently, I simply piked it up on underground forums.
      I say this is not "responsible disclosure", and that it is *irresponsible* to keep a bug of this magnitude unpatched for 2 months. Because there is a high risk that it will be found by the bad guys in the meantime - just like it happened with this bug.

      --
      Stelian ENE

  2. Highly Critical Hole Found in IE? by Anonymous Coward · · Score: 5, Funny

    Must be thursday.

  3. Perhaps it would save time... by Threni · · Score: 5, Funny

    ...if researchers just identified the bits that *weren't* totally insecure?

  4. It is not a dupe! by Life700MB · · Score: 5, Funny


    It's a brand new hole!


    --
    Superb hosting 20GB Storage, 1_TB_ bandwidth, ssh, $7.95

  5. Do what now? by Rob+T+Firefly · · Score: 5, Funny

    TFA: Microsoft plans to release a pre-patch advisory with workarounds for a "highly critical" vulnerability that could put millions of Internet Explorer users at the mercy of malicious hackers

    So this article updates us to the fact that they plan to update us with an article prior to the update?

    --
    Slashdot Burying Stories About Slashdot Media Owned
  6. Proof of concept by Anonymous Coward · · Score: 5, Funny
  7. Re:Not possible. by bedroll · · Score: 5, Informative
    Disable ActiveX in the Internet Zone and add *.windowsupdate.com and *.microsoft.com to your trusted sites.

    ActiveX really should only run from trusted sites anyway.