Slashdot Mirror
IE7 Vulnerability Discovered
slidersv writes "Not 24 hours after the release of IE7, Secunia reports Internet Explorer Arbitrary Content Disclosure Vulnerability. So much for the "you wanted it easier and more secure" slogan found on Microsoft's IE Website."
Thats the root of the problem. I'd wager 90% of the functioanlity for browsers is only used by 5% of end users. Granted a lot of stuff is demanded by web develoeprs who want fancy this, animated that, and sliding and fading the other, but to be honest, most of us dont need any of that junk.
:D
As end users, how much of browser bloat do we really need?
I think there was a slashdot story asking for feature requests for firefox recently. my main request is this please:
less of everything
Its already at the case where im starting to notice how long it takes firefox to start. Sometimes more features does not mean better. Its like anything, cars, mobile phones, TVs, they all have major feature bloat.
I found it actually impossible to buy a new mobile *without* internet access. Its insane. i remember when you didnt have an animated 'startup' screen for your phone, because the damned things just switched on.
Feature bloat -> just say no
DRM-free indie games for the PC and Mac: Positech Games
This shouldn't be too much of a suprise ... how many software products are 100% bug free when released, particularly Microsoft's? Anyone who downloads or buys any software within the first few weeks is just asking for it ... and anyone who buys a Microsoft product within the first year is bound to have issues, whether security breaches or just annoying bugs.
Crack - Free with every butt and set of boobs
This has been a problem in Internet Explorer for a while (IE 6 and prior versions). Most people turn off Active Scripting because of the vulnerabilities. You can disable it and have "trusted" sites for those sites which you want to enable active scripting like http://windowsupdate.microsoft.com./
We get a quarter, actually. Obviously people are going to defend what they like. I like Firefox, although I never used to. I used to hate Mozilla, Netscape and family. I used Opera for a while, but I just don't like IE. I'm sure the day is soon coming when FireFox will have exploit after exploit.
x86, oh yes, I'm pro.
That is all the more reason to be concerned about it. If the flaw was known in IE6 then why in the world wouldn't it have been addressed in IE7, I mean they've been working on it for half the decade for crying out loud.
In a world of acronyms, the words are the real victims.
the problem isn't so much as not having bugs in FF but the fact that MS is trying to make it look like the new IE is revolutionary and secure than FF.
But, don't forget that if you strip away too much, you'll end up with Lynx. Some people like at least images and css, you know?
Obligatory Soundbite Catchphrase
Meta will eat itself
And if you were honest you wouldn't be hiding behind the AC label.
Maybe IE is bloated - but this is often the fate of a successful application.
Surely it must be possible to structure the system so that the threat caused by any application going crazy/malicious, can be contained?
This is the system architecture issue that is wider than just a browser.
People will always find something. When you got hundreds of thousands of people checking your software for whatever issue they can find, odds are that they WILL find something. Just because its fun to bash MS doesnt mean its feasible to create a software with zero vulnerabilitise, that's impossible, new vulnerabilites are created each weeks.
:-)
I mind much less IE's security than IE's compliance to w3 standards. now THAT is annoying. having constantly to create two versions of your code. one for the compliant browsers and then one for IE.
For some reason, the suits at MS thinks that because lots of people use their software they have a moral obligation to tell people what the standards should be. Ok...I know IE7 is not as bad... but its still bad
If you look like your passport photo, you're too ill to travel. - Will Kommen
I like how Firefox originally started as the slimmer, less resource-intensive version of Mozilla. And look where it is now.
It's like sex, except I'm having it!
These days it seems as though many programmers don't know assember. They don't know what it is program with limited amounts of memory and how to write tight and fast code. Part of it may be marketing checklists, but some of it is ignorance and lazyness.
Fight Spammers!
Well, you could argue that it was quickly discovered to still exist in IE7. Interestingly, this vulnerability contradicts claims that IE7 is a rewrite. Clearly, it is not.
"Sufferin' succotash."
That makes it worse. Not only is IE7 not a "rewrite" as some claimed, but it doesn't fix known vulnerabilities in its previous version. At least if it was new code, you could understand and expect an unknown vulnerability.
"Sufferin' succotash."
So an old vulnerability that was already known in IE6 shows up in IE7 and we're not supposed to be worried? There is this concept called credibility. It relates to someone's trustability. Not that Microsoft had a lot of it before, but when there new fangled browser that is so much more secure still contains a vulnerability from 6 months ago, IE7 starts with a default of ZERO credibility.
Stop Global Warming!
Just say no to irreversible processes!
Uhm, hello!?
Using this hole any arbitrary website you visit can request pages from arbitrary other websites *through your browser*, that means including sites to which you may be logged in at the time. For example, your bank account, paypal account, ebay account. They don't even *need* to steal your password if you still have open sessions at sites that matter...
I rather fail to see how this is "not really dangerous at all"!
Every expression is true, for a given value of 'true'
He has made 291 comments in the past. He has a number of fans and a number of freaks. He has made comments that some people like and some people don't like, and no matter what he stands for it, by using his account. You're a coward because you make trollish comments and don't have the balls to stand for what you say. You're worried that some people might use your comments against you in a future discussion, or you're worried that this might harm your karma.
The difference? He's a man that's not afraid to stand by what he said, you're a small boy that runs around a creates a mess and then blames some one else. If you have any sort of backbone and not a spine made of jello, you should reveal your username. No? I figured you wouldn't.
It's funny to see how snotty the purists get when their tech is hacked and abused to do things it wasn't "intended" to do. Especially when these same folk revel in doing it to other things.
Seriously, get with the fucking program - the people have spoken and this is what they want. No one gives a fuck all about HTTP being for text only. Shut up or get off.
Here is the line of code they use to get the source of the said 3rd party page: request.open('GET', 'http://secu'+'nia.com/ie_redir_test_1/?' + Math.random(), true); Here is why this 'bug' does not do what they say it does: The browser does not allow AJAX style connetions to any domain outside of the one you are currently on. To 'get around this' Secunia has connected to a page on thier server which then goes and gets the code. Probaly using a readfile command. Here is why this is NOT a browser bug: The page that they are calling is on thier server which means that it does not have your cookies or your session data. The server page that they are opening can only view the page from the stand point of an not-logged-in user. This isn't a new trick that Secunia just invented, it is used quite often to get data from other websites. But the only way to log into another website in this manner is the have the server side page open a socket into that 3rd party page. This cannot be done, again, because their server does not have your cookie data. This is not a browser bug.
How much you want to bet this guy found the vuln weeks ago, but held off on releasing it so he could brag that he discovered the first IE7 vuln, and it only took him less than 24hr!
Yes, you're right.. it is traditional when releasing a new version of software to THROW OUT ALL YOUR CODE AND START OVER FROM SCRATCH.
I love it when people in the cake decorating industry post to slash dot.
# (/.);;
- : float -> float -> float =