IE7 Vulnerability Discovered

slidersv writes "Not 24 hours after the release of IE7, Secunia reports Internet Explorer Arbitrary Content Disclosure Vulnerability. So much for the "you wanted it easier and more secure" slogan found on Microsoft's IE Website."

two words

[doti]

ha ha

Re:two words

[parodyca]

but that was only one word..... twice

Re:two words

[AKAImBatman]

One word: Brillant!

Re:two words

you can't think of all that details when rushing for a first post

Re:two words

[knightmad]

If you are going to do, at least do it right:

ha ha

Re:two words

[Warg!+The+Orcs!!]

Brillant?

Re:two words

[tsjaikdus]

What a relief they've found the bug. OK, now it's save to use.

Re:two words

[GuidoW]

A reference to "The brillant Paula Bean". See http://thedailywtf.com./

>

Sorry, I'm too lazy to search for the actual article in which she was featured right now.

Re:two words

[GuidoW]

Er, sorry, the period at the end of the sentence was obviously not supposed to be part of the URL. Corrected version:
http://thedailywtf.com/

Re:two words

[OakDragon]

Interesting... but I always think of this when I hear "ha ha."

Re:two words

[l_bratch]

Not an issue - domains actually have a dot at the end, in the format, e.g.:

blabla.tld.

http://www.google.com/
http://www.google.com./

Both work.

Re:two words

[AKAImBatman]

Google is your friend.

Re:two words

[TheCybernator]

deja vu

Re:two words

[Idaho]

Brillant?

See The brillant Paula bean and The Brillant Paula Bean, J2ME Edition

Re:two words

[charlieman]

That's Ha ha!

Re:two words

[HeroreV]

The real WTF is that he didn't give a link, causing 5 other people to do it for him.

Re:two words

[Nocturnal+Deviant]

one word....OWNED another 2 words: Get firefox.

Re:two words

[Warg!+The+Orcs!!]

oh....brillant
I'm not sure the "troll" mod is justified in my GP post :(

Re:two words

[ady1]

Looks BS to me. I am running vista 5600 and it says that "Your browser does not appear to vulnerable to this particular exploit." Maybe it is specific to XP?

Re:two words

[PhrostyMcByte]

How much you want to bet this guy found the vuln weeks ago, but held off on releasing it so he could brag that he discovered the first IE7 vuln, and it only took him less than 24hr!

Re:two words

[PylonHead]

Yes, you're right.. it is traditional when releasing a new version of software to THROW OUT ALL YOUR CODE AND START OVER FROM SCRATCH.

I love it when people in the cake decorating industry post to slash dot.

Re:two words

[Darundal]

Yeah, they couldn't think about all the details like that whole more secure thing...

Re:two words

[mrbester]

"this error was not pointed out during the development of IE 7" Yes it was. 6 months ago, when the flaw was first publicised in IE6. Seeing as how the dev team on IE7 and the patch team on IE6 are different people, that makes two groups who didn't bother to do anything about it.

Re:two words

[tehcyder]

it is traditional when releasing a new version of software to THROW OUT ALL YOUR CODE AND START OVER FROM SCRATCH.

But only on the even numbered releases.

Re:Firefox

[bagboy]

What was wrong with gopher???

IE7 Vulnerability Discovered

[Rik+Sweeney]

In a very motherly voice:

Oh Microsoft, what are we going to do with you, eh?

Re:IE7 Vulnerability Discovered

[Rohan427]

Format C:. Install any other OS.

PGA

Re:IE7 Vulnerability Discovered

[TheCybernator]

I Came, I Saw, I Crashed
déjà vu

Re:IE7 Vulnerability Discovered

[hitmark]

format does not cut it. try fdisk or some of those gui partition managers.
if you just format your still stick with either FAT32 or, more likely, NTFS.

Re:IE7 Vulnerability Discovered

[Mattmgm]

obligatory Aliens ref:

But the only way to be sure is to nuke it from orbit. It's the only way to be (mostly) sure...

Browsers are just too complex

[cliffski]

Thats the root of the problem. I'd wager 90% of the functioanlity for browsers is only used by 5% of end users. Granted a lot of stuff is demanded by web develoeprs who want fancy this, animated that, and sliding and fading the other, but to be honest, most of us dont need any of that junk.
As end users, how much of browser bloat do we really need?
I think there was a slashdot story asking for feature requests for firefox recently. my main request is this please:

less of everything

Its already at the case where im starting to notice how long it takes firefox to start. Sometimes more features does not mean better. Its like anything, cars, mobile phones, TVs, they all have major feature bloat.
I found it actually impossible to buy a new mobile *without* internet access. Its insane. i remember when you didnt have an animated 'startup' screen for your phone, because the damned things just switched on.

Feature bloat -> just say no :D

Re:Browsers are just too complex

[Goaway]

Here's your porch, here's your chair, and here's your lawn. Now repeat after me, "DAMN KIDS! GET OFFA MY LAWN!"

Re:Browsers are just too complex

[truthsearch]

The vulnerability is caused due to an error in the handling of redirections for URLs with the "mhtml:" URI handler. This can be exploited to access documents served from another web site.

The only reference I could find to an mhtml URI through google (which isn't a vulnerability report) is for HTML email. I've generated multi-part MIME email content and never once came across this type of URI. So if someone could elaborate on why this feature even exists it would be helpful.

Re:Browsers are just too complex

[hey!]

Thats the root of the problem. I'd wager 90% of the functioanlity for browsers is only used by 5% of end users.

I don't think this is the case, because for the most part users don't choose which broswer features they use; web sites do that for them.

However, I think the web development model is far too complex, which both causes site developers to create security holes in their applications, and creates many places for security holes to exist in the browser itself.

Re:Browsers are just too complex

[acvh]

While I agree with your No Bloat argument, you neglected an oft overlooked reason that IE contains all these "features", and it's not web developers. It's application developers. There are a slew of vertical market applications that many small to midsize companies are using, where the developer has dropped, or maybe never had, its own user interface, in favor of using IE and ActiveX controls. Insurance brokerages, medical practices, law firms and more, all of them have large, commercial, expensive applications available to them for running their businesses, and many of them are IE based. IE in these cases is just the front end to data stores running on everything from SQL Server on Intel to AIX on Power to whatever. Many times with no Internet connectivity at all.

MSFT can't just disable, drop or change these features, because doing so could break an enter business. So they just pile up more and more code into an already chaotic program.

Re:Browsers are just too complex

[aadvancedGIR]

If only it was only unused stuff, it wouldn't be that bad.
I recently visited the website of a car manufacturer which was full of (I don't want to know which one) cool things to replace the HTML and no kidding (I used my watch), I had between 80 and 200s between the moment I pushed a button and the expected effect (and yes, I was under up-to-date XP/IE6 with a perfectly working 11Mb/s line and it was not at a moment they should be expecting much trafic). The site was of course really nice looking, but it could have been done with just a little JS and Flash.

It gives me the impression that some web developpers just want to steal some money selling useless trendy stuff to their clients and then extort the fix (rollback).

Re:Browsers are just too complex

[AKAImBatman]

Thats the root of the problem. I'd wager 90% of the functioanlity for browsers is only used by 5% of end users.

You would lose that wager. 80%+ of the technology that makes web browsers tick is required just to show you a blasted web page. The standardized APIs allow a good way for JavaScript to then make those pages interactive. Not too many sites are JavaScript-free these days.

What I think you're trying to say, is that features above and beyond the W3C standards are:

1. Not useful
2. Poor attempts at lockin
3. Dangerous

If Microsoft would just stick to the bloody standards, we'd all be better off. Unfortunately, they're still in 1995 mode, trying to beat Netscape at their own propertization game. It wouldn't surprise me if the requests for DOM 2 Events support were STILL ignored in this "final" release of IE7. *grumble* And Microsoft thinks developers will like them because of this?

Re:Browsers are just too complex

[Salvance]

The problem is that Firefox and other non-IE browsers are just trying to support the W3C standards and what web publishers write for their sites. Someone could certainly create a slimmed down version of Firefox that didn't have any bells or whistles, but would you continue to use it if some sites starting displaying incorrectly?

Firefox is gaining acceptance because it's more secure, generally faster, and provides far better support for the newer W3C standards such as CSS2. If you're looking for a small footprint blazing fast load times, try Cello, which can be downloaded from here. Sure, it's from 1994, but it'll run on a 386sx and you can fit 4 copies of it on a floppy. =)

Re:Browsers are just too complex

[xENoLocO]

"I found it actually impossible to buy a new mobile *without* internet access."

You can have my piece of crap cingular phone if you want it. I'm paying for a multimedia package I can't even use.

Phone with no internet access available from cingular

Re:Browsers are just too complex

[jazman_777]

a slimmed down version of Firefox

We could call it "Phoenix."

Re:Browsers are just too complex

[L0rdJedi]

I found it actually impossible to buy a new mobile *without* internet access.

Then you didn't try very hard. My wife and I just got two new Motorola Razor's from T-Mobile with NO internet access. Sure, they're capable, but we had them completely disable it. No Internet, no text messages, no nothing like that. We can still receive text messages from them, but those are free of charge.

The next time you don't want Internet, tell them. Otherwise they'll just leave it on and you'll get charged extra.

Re:Browsers are just too complex

[Pharmboy]

but would you continue to use it if some sites starting displaying incorrectly?

I try not to visit sites that don't adhear to standards personally. The main reason I go to websites is to READ, so as long as it shows text, I'm golden. This is one reason it is impossible to make a good internet appliance for the home, too damn many quazi-standards that aren't.

How many of these advanced features do you really want to even SEE on a website?

Re:Browsers are just too complex

[cliffski]

hang on, my dad has a Razor phone, thats exactly the kind of thing I didnt want. thats bloatware extreme. I dont want web acecss, or even the option for it, or the buttons for it, or anything. Not a camera, not a microphone, nada. zip.
I just want a phone. to make and recieve calls. I dont even text.

I know I know, Im old.

Re:Browsers are just too complex

[SporkLand]

If Microsoft would just stick to the bloody standards, we'd all be better off.

While I agree with this statement. The standards themselves aren't too terribly easy to implement. How long did it take the mozilla.org people to create a standards compliant CSS/HTML renderer? Around ten years . [citation needed]

Re:Browsers are just too complex

[nine-times]

A lot of people are arguing, but I think there's something to what you're saying. Most of the time, really, people should be using straight HTML/CSS. Sometimes people get into the other complicated stuff way too quickly.

Now I'll admit to liking some of the Ajax stuff, but that's not even that much. HTML, CSS, a little javascript and XML. That all seems fine. Flash? We start hitting a problem. It's not good for most of what it's used for, but I guess it's fine, especially when it's an optional plug-in.

But then developers take it to another level. Microsoft uses the web browser as an application to update system files. PDFs open in your web browser instead of downloading them. I had a user call me recently because her Excel files were opening in her IE instead of Excel. It's like Microsoft decided at some point that the web browser was going to be an all-purpose viewer and file manager.

On the other hand, IE7 and Vista seem to be aimed at fixing some of these problems. There are still things to complain about, but it does seem that IE7 is a step in the right direction. From what I understand, it's at least been dislodged from Windows Explorer.

Re:Browsers are just too complex

[Duds]

I think we're the only two people who still remember the whole point of firefox was to be the slimmed down quicker version of mozilla.

It's now every bit as bad (and worse) as the parent.

Re:Browsers are just too complex

[dave562]

This is a really good observation. About five years ago a large portion of the vendors in the manufacturing, ERP, and accounting fields started offering "web portals" and "web enabled" access to their data. Another big buzzword at the time was "extranet". 95% of those vendors went with IE/ActiveX to present the backend data to the browser.

Re:Browsers are just too complex

[noSignal]

Not all cars: http://www.subaru.com/shop/overview.jsp?model=IMPR EZA&trim=WRX_TR_SEDAN

But, yes; I agree. I want a specific device to do one thing and do it well. I want an mp3 player that just plays music, and does so with the best audio quality possible. I want a cell phone that just makes phone calls and will allow me to walk around the house without dropping calls. I don't need to take the world's worst photographs and videos with my phone, that's what my camera is for. I don't want to watch videos on my mp3 player when I commute, that's what my laptop's for.

Features sell, however. The best mp3 player to hit the market yet (imho) was the Rio Karma. Rio was forced out of the market because they just focused on making simple mp3 players, rather than throwing a bunch of poorly developed bells and whistles into their players, and couldn't compete with the ipod (although I don't think they would have done much better if they had). Given the option, the average person will buy the product that does "this and this and this and this..." instead of the one that "just does that" regardless of whether or not they will ever actually do "this and this and this" with it.

Re:Browsers are just too complex

[MrCopilot]

Thats the root of the problem. I'd wager 90% of the functioanlity for browsers is only used by 5% of end users. Granted a lot of stuff is demanded by web develoeprs who want fancy this, animated that, and sliding and fading the other, but to be honest, most of us dont need any of that junk. As end users, how much of browser bloat do we really need?

Jeez, You make it sound like an office suite.

If you factor in extensions, plug-ins, themes, etc. You may have a point. Not a good one, due to the fact that the 5% is different for everyone, but it is a point of some sort.

Ever thought of using Lynx?

Back in my day we had to type what we wanted to happen, none of this mouse clicking, multitabbed, drop shadowing, translucent menuing fluff.

And we loved it, Oh happy day.

Re:Browsers are just too complex

[zcat_NZ]

Or perhaps we could have the best of both worlds; plain text markup which makes web design and debugging easier, and some way that the server and browser can agree to deliver the content in a compressed stream.

Like this: http://www.websiteoptimization.com/speed/tweak/com press/

Re:Browsers are just too complex

[Beryllium+Sphere(tm)]

I was just at a talk by Michael Howard in which he said (I seem to remember) that "secure" and "web browser" are terms that shouldn't be used together.

I have to agree with him on that one. Take a complicated program, expose it to massive amounts of complex data for which specs are so ambiguous that you can't reject bad input, and have a lot of that content be malicious.

The things MS has done right with IE7 include turning off lots of features by default (like Browser Help Objects, yay). They've tried to implement the Biba integrity model in the OS and stuck IE at a tier that's not allowed to corrupt the majority of the system. Michael Howard says that IE7 isn't hit by any of the H.D. Moore bugs from the Month of Bugs, frequently (this is the important point) having more than one layer of defense blocking one of the bugs.

"Wait and see" is the right answer to those claims.

Re:Browsers are just too complex

[CritterNYC]

hang on, my dad has a Razor phone, thats exactly the kind of thing I didnt want. thats bloatware extreme. I dont want web acecss, or even the option for it, or the buttons for it, or anything. Not a camera, not a microphone, nada. zip. I just want a phone. to make and recieve calls. I dont even text.

"not a microphone"? So, you just want to listen, then.

Re:Browsers are just too complex

[Richy_T]

Not a microphone? You only calling recorded phone sex lines?

If you want a basic phone, this one might be of interest:

http://www.mobilewhack.com/reviews/motofone_f3c.ht ml#more

Rich

Re:Browsers are just too complex

[grcumb]

MSFT can't just disable, drop or change these features, because doing so could break an enter business. So they just pile up more and more code into an already chaotic program.

Sadly, that's true. Even more sadly, they could have listened to us in 1997-8, when we screamed bloody murder at the inclusion of ActiveX in IE and Outlook (Express), and warned them that there was no safe way to use them.

MS ignored the warnings - they were dire, loud and frequent - and went ahead with their broken design. That leaves me in a position today where I have no choice but to follow the Nelson Muntz school of logic, which dictates that the proper response to this is simply to laugh.

Re:Browsers are just too complex

[cliffski]

ah balls. you know what I mean :D. I got carried away with ym own rant :D

Re:Browsers are just too complex

[jZnat]

Phoenix was supposed to be a lite version of Mozilla. I liked Firebird, but that only lasted a couple point-releases. Firefox 0.8 is where the bloat started coming in. :(

Re:Browsers are just too complex

[k12linux]

MS ignored the warnings - they were dire, loud and frequent - and...

And this is in keeping with their past actions. Can you say "DCOM'? Since even before the Internet was very popular MS has made design choices which were critisized by security experts while they were just initial marketing hype. Yet MS went ahead and implemented them anyhow.

Re:Browsers are just too complex

[Drooling+Iguana]

aalib.

Or libcaca if you want colour.

Though Links has a graphical version as well, but I prefer Dillo when I need an ultra-light graphical browser.

Re:Browsers are just too complex

[HeroreV]

Yes, because it is so old-school to download a multi-megabyte JavaScript library only once per website. It's much better to download it again every single time you download a page.

Re:Browsers are just too complex

[HeroreV]

No HTML WYSIWYG editor, no email client, no news client, no IRC client. Yeah, I can totally see how Firefox is more bloated than SeaMonkey.

Re:Browsers are just too complex

[Herby+Sagues]

Nope. What he said was that about 90% of the features do not get used BY ANY ONE SPECIFIC USER. But your 10% is not my 10%. There are people for which word count is useles, and for others is their bread and butter. I don't use more than 20% of word's features, but some features I use are probably pretty obscure for most users. And with IE is probably the same, though to a lesser extent (we all see the same web pages after all).

Re:Browsers are just too complex

[zobier]

Speaking of which, Firefox2 has a really nice spell checker.

Which doesn't work in my copy :(

Re:Browsers are just too complex

[0xABADC0DA]

You and the mods have totally missed the point. "Encoding: gzip" has absolutely no relevance to cross-site scripting (XSS). I mention a .zip as a way to send multiple 'files' in one stream, which *does* solve the problem, not as a way to compress them. Which is why I never mentioned compression.

Here's the problem:
      <search_text> user input </search_text>

If you don't quote properly the user can send "<script> ...any script... </script>" and the html becomes:

      <search_text> <script> ...any script... </script> </search_text>

The page loads and the script executes. But if you change HTML so that the scripts are by reference (ex, "<script id=#scriptname"/>) then even if you forget to quote the text, the worst they can do is have it run an existing script in your page.

Note that you don't allow urls for the script since HTML has the problem of letting user input unquoted text be "part" of the document, so the malicious user can still put HTML tags into the final page and thus could just have the id link to a script someplace and get that included. Also by separating the script from the HTML it doesn't mean you have to download a huge script library for each page, for example it could just be links to the scripts the page uses, but outside the html. That's why I said "inline scripts". Even just only allowing scripts to be defined in the page head would almost eliminate the XSS problem.

Re:Browsers are just too complex

[zcat_NZ]

Chalk this up to a cross-comment reply, I thought I was replying to a comment about plain-text formats being too bloated and inefficient.

I'm not sure what the answer to XSS is; but as a later posting already observed; if you have multiple pages that share the same large chunk of javascript it doesn't make a lot of sense to attach and download it again for every page. I'm not sure what the better solution is, but I'm sure there will be a better solution.

Not Really news

[Zarniwoop_Editor]

It's not really news that there are security issues in IE 7. Problem is there are security issues in so much these days that it's really just about what has been found so far.

Back to the old text based lynx browser for me. Now, Anyone know where I can get a flash plugin for Lynx? ;-)

Re:Not Really news

[rs232]

"It's not really news that there are security issues in IE 7.

I thought IE7 and Vist were going to eliminate such 'issues'. It does work the same under Vista?

"Problem is there are security issues in so much these days that it's really just about what has been found so far."

What a waste it is to lose ones mind. Or not to have a mind is being very wasteful. How true that is. T. Danford Quayle.

Score: 5, brain damage

Re:Not Really news

[lahvak]

Gnash should do it. It can run as a standalone application, rather than a browser plugin. You would then view flash content the same way you view images in lynx.

Old exploit

[Iphtashu+Fitz]

This exploit exists in IE6. It just means MS didn't fix it in IE7. It's not like it's a new exploit that was quickly discovered within the few hours after IE7 was released.

Re:Old exploit

[otacon]

That is all the more reason to be concerned about it. If the flaw was known in IE6 then why in the world wouldn't it have been addressed in IE7, I mean they've been working on it for half the decade for crying out loud.

Re:Old exploit

[kfg]

So, what you're saying is that Bill's dog ate the patch?

KFG

Re:Old exploit

[abaddononion]

This exploit exists in IE6. It just means MS didn't fix it in IE7. It's not like it's a new exploit that was quickly discovered within the few hours after IE7 was released.

To me, at least, that's kind of the point. I mean, this is an old old IE6 bug, that M$ has known about for a certainly reasonable amount of time. Yet, they still haven't fixed it. And not to say it's a big deal that they haven't fixed it in IE6 yet. It's not like it's a Critical Priority bug (no pirates can steal Windows or MP3s because of it). But they point is, they did their whole "We heard you" campaign, and claimed IE7 was going to be this great new secure landscape... and they didn't even clean up the old IE6 bugs they KNEW about? I mean, seriously, at this point are we supposed to believe that they're even trying?

Re:Old exploit

[FrankNputer]

Maybe not, but it seems relevant that the new "safe & secure" browser is still broken in the same manner as the old one.

Re:Old exploit

[rs232]

"This exploit exists in IE6. It just means MS didn't fix it in IE7. It's not like it's a new exploit that was quickly discovered within the few hours after IE7 was released."

But I thought IE7 was a brand new browser that didn't use and of the buggy old IE6 code.

Score:5, yet more damage control)

Re:Old exploit

[mrdogi]

In response to this as well as a post further down about it being known since April 2006, it seems to me that only makes matters worse. If IE 7 is supposed to be so secure, why didn't the fix an exploit know for 6 months?

Re:Old exploit

[erlando]

But I thought IE7 was a brand new browser that didn't use and of the buggy old IE6 code.

IE7 is NOT a rewrite. The only thing coming close to a rewrite is the CSS part of the browser.

MS has neglected several areas, one being the whole JavaScript area where IE still leaks memory like a sieve. The attitude at MS is that this is unfixable because it requires a complete rewrite of the browser.

Re:Old exploit

[Overly+Critical+Guy]

Well, you could argue that it was quickly discovered to still exist in IE7. Interestingly, this vulnerability contradicts claims that IE7 is a rewrite. Clearly, it is not.

Re:Old exploit

[rjune]

I am running IE version 6.0 (Version 6.0.2900.2180) on a fully patched version of Windows XP Pro. I also have Automatic Updates (Microsoft Updates) set to automatically download updates, and I manually go to the update site to check on the status. My browser is vulnerable. The big question is why this hasn't been fixed and why is the situation so casually ignored as "old news"?. The exploit does not exist in Firefox 1.5.0.7. That is why Firefox is my primary browser.

Re:Old exploit

[Kozz]

Interestingly, this vulnerability contradicts claims that IE7 is a rewrite. Clearly, it is not.

Au contraire! It could be that they're so darned consistent, the bug was re-created in the rewrite. Sort of re-inventing the same, very bad wheel. Didja ever think of that? I wouldn't put it past them.

Re:Old exploit

[km790816]

No one claim IE was a complete rewrite. Even Firefox started with the old Netscape code base.

Big pieces were re-implemented, but a lot of the core logic (I assume) remains unchanged. Too many sites rely upon how IE does things (standards compliant or not).

Re:Old exploit

[p00ked]

Avast AV doesn't like the IE7 download site:

File name: http://rad.microsoft.com/ADSAdClient31.dll?GetAd=& PG=CMSIE3&SC=F3&AP=1164
Maleware name: VBS:Zulu
Maleware type: Virus/Worm
VPS version: 0642-3, 19/10/2006

Re:Old exploit

[CrossChris]

This demonstrates that MS were lying when they described Vista and IE7 as having "an entirely re-written codebase".

Re:Old exploit

[ConceptJunkie]

But MS has always been saying their stuff is "safe and secure", so that's consistent. Maybe everyone else's idea of what's "safe and secure" is flawed.

Re:Old exploit

[Blakey+Rat]

Until reading your post about 15 seconds ago, I'd never heard a claim that IE7 was a rewrite.

Re:Old exploit

[julesh]

Even Firefox started with the old Netscape code base.

Mozilla was a complete rewrite. It was started by netscape, but when they realised they were unlikely to ever finish it they opened the source.

Re:Old exploit

[Aqualung812]

That is why Firefox is my primary browser

Me too. Firefox does not let their brower go unpatched.

Re:Old exploit

[teh+kurisu]

Thanks for mentioning this, this answers my question: "should I hold off upgrading from IE6 for the time being?"

Re:Old exploit

[Orestesx]

I agree that it's probably not a complete rewrite, but hey, this is Microsoft. We all know they are capable of making the same mistake twice.

Re:Old exploit

[jesser]

Not quite a complete rewrite. The JavaScript engine "Spidermonkey" survives from Netscape 4, at least. (That's just the JavaScript language implementation, not DOM functions.)

Re:Old exploit

This is not a browser bug. The browser is just being used as an attack vector. The exploit bug is in Outlook Express:

http://blogs.msdn.com/ie/archive/2006/10/19/an-ie7 -security-vulnerability.aspx
http://blogs.technet.com/msrc/archive/2006/10/19/i nformation-on-reports-of-ie-7-vulnerability.aspx

Re:Old exploit

[HeroreV]

I mean, seriously, at this point are we supposed to believe that they're even trying?

You should have stopped believing that a long time ago.

Re:Old exploit

[Overly+Critical+Guy]

Mossberg called it a "fundamental rewrite" today. Face it, Microsoft and its enthusiasts acted like it was some big rewrite when it's not.

Misunderstanding

[MrSquishy]

Maybe the line should read "You wanted it easier AND more secure?".

Re:Misunderstanding

[Adelbert]

"Works on contingency? No, money down!"

Re:This is news???

[smooth+wombat]

Next time a bug is found in FF, I'm going to contact the media and scream bloody murder.

It's already been done and found to be a hoax.

Anything else you want to complain about?

Re:Firefox

[kfg]

everybody switch to lynx.

The only safety is vigilence

KFG

Let's be fair

[Lars+T.]

The same problem is known on IE 6 since April 2006

Re:Let's be fair

[hachete]

So the biggest Software Development organisation in the world couldn't fix this big for over a year? For shame ...

It can't be hard to figure that these things are going to get jumped on. Why not fix it and save the bad press?

Re:Let's be fair

[crazman724]

how is that being fair? if they have known about it that long from IE6 then there is no reason that there should be that problem still.

Re:Let's be fair

[Overly+Critical+Guy]

That makes it worse. Not only is IE7 not a "rewrite" as some claimed, but it doesn't fix known vulnerabilities in its previous version. At least if it was new code, you could understand and expect an unknown vulnerability.

Re:Let's be fair

[tbone1]

It can't be hard to figure that these things are going to get jumped on. Why not fix it and save the bad press?

Because no one put it on the Gantt chart.

Re:Let's be fair

[poulbailey]

Not only is IE7 not a "rewrite" as some claimed

That's the second time you've said this. Who exactly claimed IE7 was a rewrite? Microsoft or the voices in your head?

Re:Let's be fair

[Overly+Critical+Guy]

I have? I've mentioned it a total of...twice. In just this article.

Paul Thurrott, Slashdotters, and other enthusiasts have claimed IE7 is a rewrite. Take it up with them.

Re:Let's be fair

[Overly+Critical+Guy]

Thurrott has referred to it as a rewrite at his websites, as have several Slashdot posters in the past. Those are the people I was referring to, not Microsoft.

Re:Let's be fair

[MadMidnightBomber]

That's the second time you've said this. Who exactly claimed IE7 was a rewrite? Microsoft or the voices in your head?

We just assumed it was a rewrite because that's obviously the only way to un-fuck IE.

Re:Let's be fair

[poulbailey]

I still think you're full of it quite frankly. I can only find one IE7 related page on Thurrott's site with the word "rewrite" on it and there he's talking about not wanting to rewrite a previous review of his.

Where's your proof? Random Slashdot posters and bobsvistanewz.blogspot.com do not count.

Re:Let's be fair

[Overly+Critical+Guy]

Well, they do count, because those are the people I was referring to. If you can't find any reference, than I'm glad, because IE7 isn't a rewrite and that meme shouldn't be out there!

Re:Let's be fair

[Achromatic1978]

Quoth "Overly Critical Guy":

Thurrott has referred to it as a rewrite at his websites

Quote "poulbailey":

still think you're full of it quite frankly. I can only find one IE7 related [google.com] page on Thurrott's site with the word "rewrite" on it and there he's talking about not wanting to rewrite a previous review of his. Where's your proof?

Quoth "Overly Critical Guy":

If you can't find any reference, than I'm glad, because IE7 isn't a rewrite and that meme shouldn't be out there!

Are you on crack?!? HE can't find any reference to back up YOUR assertion, and you say "GOOD, because my assertion that he claimed that is untrue!"??

Re:Let's be fair

[Overly+Critical+Guy]

Are you on crack?!? HE can't find any reference to back up YOUR assertion, and you say "GOOD, because my assertion that he claimed that is untrue!"??

I argued with Slashdotters months ago who claimed IE7 was a rewrite. Paul Thurrott referred to it on his blog as a rewrite. Walt Mossberg today called it a "fundamental rewrite."

Is there a reason you're coming unhinged over this?

Re:Let's be fair

[Overly+Critical+Guy]

All right, here's just one result from Google: "fundamental rewrite"

Not much of a surprise

[Salvance]

This shouldn't be too much of a suprise ... how many software products are 100% bug free when released, particularly Microsoft's? Anyone who downloads or buys any software within the first few weeks is just asking for it ... and anyone who buys a Microsoft product within the first year is bound to have issues, whether security breaches or just annoying bugs.

Re:Not much of a surprise

[truthsearch]

Scroll up. This bug was discovered at least 5 months ago. IE 7 is not new software. It's an update to the IE 6 code base. This product is far from new. Hence this shared bug.

Re:Not much of a surprise

[Xugumad]

Heaven help those of us who need to test our websites with new browsers (worked perfectly first time, for reference, probably on account of having read, understood and used the HTML, XHTML and CSS standards).

News?

[Treacharous]

Doesn't everyone use firefox anyway?

Re:News?

[DrDitto]

I gave up on Firefox after using it for 2 years. Memory leaks, spuratic behavior, crashes, 99% utilization, etc. The original Mozilla 1.7.x series was better but unfortunately that line of development is dead.

Re:News?

[Treacharous]

Switch over to Seamonkey. It's great :)

Re:News?

[DrDitto]

Thanks for the pointer! I didn't know that the old Mozilla lives on.

Re:News?

[whitehatlurker]

No.

Vista RC2

[jkl6648]

I just ran the exploit test using IE7 under Vista RC2, and it came back and said that my browser "does not appear to be vulnerable to this particular exploit", so is this just a IE7 under XP issue?

Re:Vista RC2

[Aqua_boy17]

Well, I don't know about 7, but I got the same message running IE6 SP1 on XP saying my machine appeared not to be vulnerable. Of course this is my work machine behind a hardened firewall with all current MS patches. It will be interesting to see if my home machine reports as non-vulnerable as well.

Re:Vista RC2

[HardSide]

Because this is more of a email program vulnerability then browser vulnerability. If people actually research this, they would realize this is an old problem that existed since IE6 and it deals with opening a link in your email program through internet explorer, but you should know better then to open unknown emails in your inbox, the fact that you do, you deserve to get what you get. This article - False - Misinterpeted. Good job /.

Re:Vista RC2

[Chosen+Reject]

So an old vulnerability that was already known in IE6 shows up in IE7 and we're not supposed to be worried? There is this concept called credibility. It relates to someone's trustability. Not that Microsoft had a lot of it before, but when there new fangled browser that is so much more secure still contains a vulnerability from 6 months ago, IE7 starts with a default of ZERO credibility.

Re:Vista RC2

[rjune]

My version of IE does show the vulnerability (Version 6.0.2900.2180.xpsp_sp2_gdr.050301-1519). I'm not an expert on what the string means, but I have a fully patched OS and it appears that I have SP2. Are Microsoft's patches breaking things that weren't broken?

Re:Vista RC2

[qzulla]

This myth is busted!

qz

Active Scripting

[DoomfrogBW]

This has been a problem in Internet Explorer for a while (IE 6 and prior versions). Most people turn off Active Scripting because of the vulnerabilities. You can disable it and have "trusted" sites for those sites which you want to enable active scripting like http://windowsupdate.microsoft.com./

Re:Firefox

[QBasicer]

We get a quarter, actually. Obviously people are going to defend what they like. I like Firefox, although I never used to. I used to hate Mozilla, Netscape and family. I used Opera for a while, but I just don't like IE. I'm sure the day is soon coming when FireFox will have exploit after exploit.

Come on

[critter_hunter]

It's a "Less critical" vulnerability - not really dangerous at all. Firefox still has equally important unpatched "vulnerabilities" - some of which date back to 2004. Retards.

Re:Come on

[truthsearch]

Your first link is for a vulnerability which requires the user to do something (type in a file name). The second is a phishing attack.

You might want to retake an IQ test before you start calling names on /.

Re:Come on

[k_187]

Why? No one else is required to.

Re:Come on

[strider44]

That was his point. Those are really trivial security holes that they haven't patched because they're pretty well unfeasable to actually attack, kind of like this IE hole.

Re:Come on

[Idaho]

It's a "Less critical" vulnerability - not really dangerous at all.

Uhm, hello!?

Using this hole any arbitrary website you visit can request pages from arbitrary other websites *through your browser*, that means including sites to which you may be logged in at the time. For example, your bank account, paypal account, ebay account. They don't even *need* to steal your password if you still have open sessions at sites that matter...

I rather fail to see how this is "not really dangerous at all"!

Re:Come on

[truthsearch]

This IE hole requires no user interaction. Unlike the firefox bugs he links to a simple web page can leverage this IE hole with no extra user input. And considering the URI exploited is used within email I'd imagine Outlook is susceptable, too. So the firefox vulnerabilities mentioned are much less likely to be exploited than this IE hole.

Re:Come on

[Jeian]

What, you were expecting IE and Firefox to be evaluated objectively? This IS Slashdot, you know.

Re:Come on

[necro2607]

That's cool, but Firefox isn't built into my OS. heh

Re:Come on

[strider44]

For what purpose though? The only thing I could think of that would be useful with this hole is targetting a specific person trying to look at his gmail account maybe. I'm not sure how this hole could be used by malicious web sites targetting random people. It's no more useful than the firefox holes.

Re:Come on

[truthsearch]

How about running javascript to go back through IE's history until it finds a bank URL it recognizes. If a secured page is cached (as some poorly written sites are) then this vulnerability could be exploited to go find that data and transmit it to the site you're currently on.

Re:Come on

[strider44]

. . . That hole doesn't allow them to go back through IE's history until it finds a bank url it recognises. All it does is allow the "attacker" to see a web site as if the victim's web browser were viewing it, maybe possibly recovering some information. This might be useful to attack a specific person or group of people but lets face it there are better ways of doing so and this hole is a lot of effort for not really getting very much out of it.

Re:Come on

[truthsearch]

Point taken. I guess I envisioned some javascript that repeatedly hit the virtual back button (window.back() or whatever it is) looking for any interesting information, then using this vulnerability to get that data to the "attacker". But you're right, it's probably more trouble than it's worth. It's a lot less likely to get you valuable information than simple phishing.

Re:Come on

[strider44]

Pity - I kind of like your way better.

Re:This is news???

[shadowmas]

the problem isn't so much as not having bugs in FF but the fact that MS is trying to make it look like the new IE is revolutionary and secure than FF.

Re:Firefox

[QBasicer]

On second thought, why not just use telnet? Surely that'll be safe from everything...right?

Yawn.

[Honest+Olaf]

Stretch. Scratch.

Oh, an IE vulnerability? That's cool man.

Hey, anyone want to get some lunch?

Re:Firefox

Actually Firefox has a similar vulnerability, which has been unpatched for months (as a design decision - there is no way to patch it without breaking useful stuff).

This is a new report of a old vulnerability which isn't serious. The fact that it's been released "not 24 hours" after IE 7 was released is, I would think, because someone decided to release it to coincide with the launch.

Good timing, Secunia

[wumpus188]

But every sane person in the world already has Internet zone security level set to High so who is gonna be affected by this?

Re:Good timing, Secunia

[Veldcath]

98% of users... because we know this whole world is bloody insane...

IE7 maybe not vulnerable?

[jrsp]

IE7, freshly installed this morning, on XP SP2 reports not vulnerable. Perhaps it was already patched, or the exposure is more limited than the post implies...

Not an MS fan, but truth and accuracy are always good.

Re:IE7 maybe not vulnerable?

[truthsearch]

Secunia has confirmed the vulnerability on a fully patched system with Internet Explorer 7.0 and Microsoft Windows XP SP2. Other versions may also be affected.

http://secunia.com/advisories/22477/

Re:IE7 maybe not vulnerable?

[DigitlDud]

I haven't been able to get this vulnerability to work anywhere, on XP or Vista.

Re:IE7 maybe not vulnerable?

[pedalman]

but truth and accuracy are always good

Here? On Slashdot? You must be new here.

Re:IE7 maybe not vulnerable?

[EMN13]

It's technically not an IE hole, but an outlook issue. So if you don't have outlook [installed and configured correctly], you aren't vulnerable. Why IE7 permits access to external protocol handlers without asking is another issue...

Re:Firefox

[tsa]

But aren't these vulnerabilities already popping up? They're fixed much faster though...

"Suprise, Suprise, Suprise" -- Gomer Pyle.

[www.sorehands.com]

"Fool me once, shame on you. Fool me twice, shame on me." -- Scotty.

"Insanity is defined as repeating the same behavior and expecting a different result."

Micorosoft have been patching security for years. They now claim, "Security is job one." Do you believe it? Why would you? I would not trust IE unless it is rewritten from scratch. There is only so many patches you can do.

I worked on CALANdar back in the 90s. The program started its life as a quick and dirty in/out notifier. Over the years, it turned into a groupware scheduling package. Ignoring my protestations regarding security risks, I was required to add OLE to the Windows version. There was comments from the original author that said "I know this case is F**Ked, but Dick wanted it done now, I will fix it later." That code was there 4 years after the original author left. When you add onto an unstable base, you do not make code more stable.

Re:Firefox

[Ingolfke]

lynx sucks. I use links.

This page produces a rendering bug for me

[patio11]

*sigh* And I sincerely wanted to move to IE7 from Firefox just to be contrarian.

Re:Firefox

[towsonu2003]

and your reference is? (link to the bug report)

Helllloo?

[thepotoo]

Last time I checked, Firefox was open source. You are more than welcome to fork the project and make a "lite" version. I would probably give it a try.

But, don't forget that if you strip away too much, you'll end up with Lynx. Some people like at least images and css, you know?

Re:Helllloo?

[east+coast]

Man, people need to get metamodding if this is considered a troll.

Re:Helllloo?

[morgan_greywolf]

Last time I checked, Firefox was open source. You are more than welcome to fork the project and make a "lite" version. I would probably give it a try.

People already have.

Re:Helllloo?

[thepotoo]

Gnuzilla and IceWeasel is a fork of the mozilla suite. It's not the same as firefox, as extensions don't work, and Epiphany has serious issues with a lot of the firefox extentions.

What I want is a browser that starts up the second I click the icon, and one where I can nuke the stuff I don't want (flash, java, videos), and install extensions for what I do want. (Adblock, tabmixplus).

Re:Helllloo?

[Crayon+Kid]

So preload it. I use AllTray on Linux to accomplish that. Got both Thunderbird and Firefox loading inside AllTray from .xinitrc. When I actually need them they pop up instantly.

Honestly, I think it's the closest you'll ever get to your wish. Having a XUL application loaded with plugins and extensions start up instantly is just not doable, unless you pack a multi GHz CPU, ultra fast HDD and a load of RAM. I eagerly await Firefox devs to prove me wrong.

Re:Helllloo?

[ElleyKitten]

Gnuzilla and IceWeasel is a fork of the mozilla suite. It's not the same as firefox, as extensions don't work

IceWeasel is a fork of Firefox, and extensions work just fine on it.

Re:Helllloo?

[ElleyKitten]

IceWeasel is not Firefox lite, it's Firefox w/o trademarks. And Epiphany isn't Firefox, and it's not all that lite.

Re:Helllloo?

[gwbennett]

Isn't this the idea behind Swiftfox?

Re:Helllloo?

[morgan_greywolf]

Epiphany uses the same rendering engine as Firefox and, from my testing, loads much quicker than firefox, uses less memory and integrates with the desktop better.

Re:Helllloo?

[ElleyKitten]

Epiphany uses the same rendering engine as Firefox and, from my testing, loads much quicker than firefox, uses less memory and integrates with the desktop better.

Epiphany does you the same rendering engine, but I don't think that really makes them the same. Also, Epiph on my Ubuntu PC loads about as fast as Firefox or IceWeasel, and uses about the same memory, and IceWeasel with the Human theme integrates just fine. Although, you might want to take me with a grain of salt, because it seems I'm the only person on slashdot to never, ever experience the Firefox memory leak, and considering all the KDE apps I run in Gnome I am not the person to ask about desktop integration. Still, I think it's a little much to call Epiphany "Firefox lite".

FYP

[tygerstripes]

I would not trust IE unless it is rewritten from scratch.

...by someone else.

Re:"Suprise, Suprise, Suprise" -- Gomer Pyle.

[Viol8]

" would not trust IE unless it is rewritten from scratch."

Even then I wouldn't trust it. MS's record at new code isn't any better.
Besides which, the Mozilla tree was originally a complete rewrite of
Netscape and that hasn't been exactly bug free. I think the real issue
is simply browsers having everything including the kitchen sink thrown
into them. They need to be streamlined , take out some of the eye candy
and functionality hardly anyone uses and you're off to a better start.

Opera doesn't want to feel left out

[helmutvs]

This vulnerability is not very significant. What I found more amusing was that on the same secunia page there's a list of the most popular advisories and Opera appears just under IE. The Opera vulnerability involves a mistake that any student learns to avoid in his or her first programming class. Furthermore, the Opera buffer overflow is rated as "highly critical" and affects both Windows and Linux versions, whereas MSIE 7's is only "less critical." The Opera bug is truly an amateur's mistake.

Re:Opera doesn't want to feel left out

[Aqws]

You forgot to mention one thing... That it is already patched.

Re:Opera doesn't want to feel left out

[cmh7r]

"involves a mistake that any student learns to avoid in his or her first programming class"

You do realize this is the cause of most security vulnerabilities across the board, right? It's hardly a solved problem. Although in a way you are right, most first programming classes are taught using safer languages than C now, so maybe they are teaching the solution.

Re:Opera doesn't want to feel left out

[giriz]

http://secunia.com/product/4227/?task=statistics reports that firefox 1.x has 36 advisories (3% of them is extremely critical) Opera 8 has only 15 advisories (0% extremely critical) Opera 9 has only 2 one high and one moderate. So shut your mouth as it is the safest and fastest browser on earth.

Re:Opera doesn't want to feel left out

[helmespc]

You do realize this is the cause of most security vulnerabilities across the board, right? It's hardly a solved problem. Although in a way you are right, most first programming classes are taught using safer languages than C now, so maybe they are teaching the solution. If someone really need the programming language to stop you from overrunning a buffer, they probably should just stop writing software because its obviously not their forte. But you're right, this is the leading cause of vulnerabilities, and its silly that it even happens. People just need to learn to keep better track of buffer sizes and use safer memory writing functions.

Re:Opera doesn't want to feel left out

[bunratty]

The product with the fewest advisories is not necessarily the safest to use. It could be that black hats have discovered a serious vulnerability in Opera and are exploiting it right now. And besides, you can't necessarily predict the future from the past, otherwise making predictions would be trivial.

Re:Opera doesn't want to feel left out

[helmutvs]

When someone shows me that Opera can properly display tables, I'll use it.

Re:Opera doesn't want to feel left out

[xtieburn]

Opera is more compliant with the web standards than either Firefox or IE.

If your tables arnt being displayed correctly its very likely because the tables are wrong, not Opera.

Re:Firefox

[diersing]

And if you were honest you wouldn't be hiding behind the AC label.

Re:Firefox

[bozendoka]

I agree completely. Heaven knows there weren't any fanboys on Slashdot before Firefox.

Ah, those were the days... rational discourse, on topic discussions, no spelling errors...Why, I remember one time, I said that I thought that Gentoo could be a little easier to install, and nobody modded me down. Dammit, I promised myself I wasn't going to cry!

Disingenuous

[CDPatten]

kind of a double edged sword. Its just so intellectually dishonest. Obviously they had found the hole before the release and were just waiting to try to embarrass MS.

They claim they want to see secure MS software, but work against the industry practice of making software more secure and bug proof by withholding flaws they find.

Re:Disingenuous

[truthsearch]

I'm not sure if you're serious or not, but this bug was announced months ago in IE 6:

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.

http://secunia.com/advisories/19738/

Re:Firefox

[Reverend528]

What was wrong with printed media?

I don't see what this "web technology" can do that a newspaper can't.

Re:Firefox

[rs232]

"Actually Firefox has a similar vulnerability, which has been unpatched for months (as a design decision - there is no way to patch it without breaking useful stuff)"

Could you give us a pointer to the Firefox bug and what stuff does it break.

"This is a new report of a old vulnerability which isn't serious"

Could you give us a pointer to the original report.

Score: 5, Damage control

Re:Firefox

[gormanly]

switch?

'course, Slashdot is awful in Lynx. All the stuff in the sidebars goes to the top of the page.

And the comment entry is sucky too...

Re:Firefox

[Robber+Baron]

I use lynx to surf pr0n!

Lynx vs. links. Security? Standards? Usability?

[abaddononion]

Let the CLI-browser flame-wars begin!

Re:Lynx vs. links. Security? Standards? Usability?

[rk]

Links? Lynx? You're all wimps.

I posted this by hand using "telnet slashdot.org 80".

Re:Lynx vs. links. Security? Standards? Usability?

[aymanh]

You need a computer program to post? How amateurish! I'm posting this by waving a magnet next to a phone cable ;)

Re:Lynx vs. links. Security? Standards? Usability?

[AntEater]

How dare you forget eLinks? It's much better. text-mode tabs rule!
http://elinks.or.cz/

Re:Lynx vs. links. Security? Standards? Usability?

[JWSmythe]

    You use a magnet? Some of us use telepathy. I close my eyes and focus on where I want to be, and manipulate the electromagnetic patterns on the ethernet cables of the server that runs Slashdot. The latency is a lot lower than using that pesky Internet thing. :)

Re:Lynx vs. links. Security? Standards? Usability?

[An+ominous+Cow+art]

You're working too hard. I just close my eyes, and Slashdot comes to *me*.

Re:Lynx vs. links. Security? Standards? Usability?

[rk]

"You need a computer program to post? How amateurish! I'm posting this by waving a magnet next to a phone cable ;)"

Well, I needed a program because I wasn't connected to the internet at the time. I just transported those packets through sheer strength of will. :-)

How you doin', Ayman? You need to put up a JE whenever you post to your blog 'cause I always forget to read it. Or, I suppose I could just get the RSS feed. :-D

Re:Lynx vs. links. Security? Standards? Usability?

[aymanh]

Well, I needed a program because I wasn't connected to the internet at the time. I just transported those packets through sheer strength of will. :-)

Hehe. By the way this series of jokes never gets old. It's bound to appear as soon as someone mentions Lynx or telnet.

How you doin', Ayman? You need to put up a JE whenever you post to your blog 'cause I always forget to read it. Or, I suppose I could just get the RSS feed. :-D

I'm doing fine. Good call about the JE thing. Will do whenever I have something worthy of sharing here :)

IE7 is actually pretty good

[Bullfish]

I have used ff for a few years now, and have been a fan. I presently run ff 2 RC3. I overall like ff, but I find besides the memory feature, that it is just slow and balky compared to IE (and I have tweaked the ff settings for speed). I really want to like ff more, but until it becomes a smoother experience, I will likely do most of my browing with IE7. As for being more secure, I just assume no matter what that any machine connected to the net is not secure and act accordingly.

Re:IE7 is actually pretty good

[blueZhift]

I started using IE7 this morning, and so far it's pretty good for the usual stuff I do. I'm not planning to stop using Firefox regularly, but at least for those times I must use IE, it won't suck so badly anymore. IE7 seems to be pretty fast and stable on my machine relative to Firefox 1.5.7.

Re:IE7 is actually pretty good

[Bullfish]

Cry me a river.

The problems I mentioned are real, not FUD, and I am not the only one to have enumerated/complained about these issues. I will continue to support ff, but it has a long way to go. I suspect much of ff's balkiness comes from IE specific coding on sites. When those sites change, maybe that will go away. In the meantime, it happens more than I (and a lot of others) like.

As for looking stupid, your denial of reality doesn't make you look like a rocket scientist.

Re:IE7 is actually pretty good

[bunratty]

I suspect much of ff's balkiness comes from IE specific coding on sites. When those sites change, maybe that will go away. In the meantime, it happens more than I (and a lot of others) like.

You can't blame sites for memory leaks. Report whatever leaks you do see so they can be fixed. Personally, I'm finding memory leaks to be rare with Firefox 2.

Re:Firefox

[chrismcdirty]

That must not be your first UID. I don't ever remember a ton of rational discourse, on-topic discussions or error-free spelling.

As the saying goes...

[djupedal]

Any publicity is good...good publicity is even better.

Keep chatting it up, people. This is exactly what red-o-mundo' wants - how's it feel to be sooooo used, eh? :)

Re:As the saying goes...

[jeremyclark13]

It feels sooooo good.

Re:As the saying goes...

[Crayon+Kid]

Any publicity is good...

There's a difference between laughing with somebody and laughing at somebody.

I wonder when they knew about the vulnerability?

[notaprguy]

If they knew about it before the release of IE 7 then they're low-lifes.

That should not affect security!

[KillQuentin]

Maybe IE is bloated - but this is often the fate of a successful application.

Surely it must be possible to structure the system so that the threat caused by any application going crazy/malicious, can be contained?

This is the system architecture issue that is wider than just a browser.

Re:Firefox

[GuidoW]

Excuse, but where did you read that FF has that exact same vulnerability?

Also, even though FF does have issues, I believe you'll be hard pressed to find a vulnerability in FF that has been known for years and still gone unfixed. (According to heise on http://www.heise-security.co.uk/news/79745 this is actually an old bug that also affects IE 6)

There will always be issues

[Programmer_In_Traini]

People will always find something. When you got hundreds of thousands of people checking your software for whatever issue they can find, odds are that they WILL find something. Just because its fun to bash MS doesnt mean its feasible to create a software with zero vulnerabilitise, that's impossible, new vulnerabilites are created each weeks.

I mind much less IE's security than IE's compliance to w3 standards. now THAT is annoying. having constantly to create two versions of your code. one for the compliant browsers and then one for IE.

For some reason, the suits at MS thinks that because lots of people use their software they have a moral obligation to tell people what the standards should be. Ok...I know IE7 is not as bad... but its still bad :-)

Re:There will always be issues

[moore.dustin]

IE7 is not as bad? IE7 Renders everything all of my sites exactly how it should. If you made a compliant site before IE7, then it will work fine now that IE7 is out. IE6 was a nightmare, but not nearly the mess it was a year or two ago. The bugs are known, the fixes are easy, and the alternatives are simple. The idiots who used hacks inside their CSS are the ones that are going to pay, as well they should though. The whole idea behind standards and the W3C is to make compliant code, not to make mostly compliant code.

When you hack up your CSS, you lose compliance and guess what, IE7 wont render it correctly! If you used conditional HTML to redefine the classes you need to for IE6, you will be compliant and working forever.

Also, all these webmasters that are so happy that IE7 is mostly compliant and they do not need to hack it up anymore are STUPID. They are going to have to be making the SAME EXACT fixes they did for years for several more years to come. It is not like IE6 is gone - it is going to have a share bigger than FF for at least a year or two. Now you are just going to be even more pissed when you have to make your fixes for a much smaller group of people who didnt or cant upgrade.

Re:There will always be issues

[99BottlesOfBeerInMyF]

If you made a compliant site before IE7, then it will work fine now that IE7 is out. IE6 was a nightmare, but not nearly the mess it was a year or two ago.

Yawn. I generate some HTML and CSS and XHTML destined for a very specific set of paying customers. I built the system quickly, just following the standards. Then I tested it. Every browser I tested including Opera, Firefox, Safari, Camino, and Konqueror rendered it exactly as expected. IE6 failed to render the XHTML formatting because they are half a decade behind the rest of the industry. Luckily, none of the people who will view this are likely to be using IE, so if someone happens to they can deal with something similar to plain text. When the IE7 beta came out and now that IE7 is out I tried it again. Just like IE6, IE7 fails completely.

MS has more money and developers than pretty much any other company. They did not make IE7 compliant because they don't care to spend the effort. If you want Web compliance you need competition in the space. Since no one stopped MS from illegally bundling IE, the industry pays and most developers have to waste a lot of time working around MS's noncompliance. This should surprise no one (and probably wouldn't except for all the marketing crap MS has spewed to convince people IE7 would be different).

Re:There will always be issues

[moore.dustin]

It does not change the fact that the fixes are easy to do and also worth doing. I think IE7 is a great browser and really, the only people that wont use it are OS X people and nerds/geeks. Firefox fanboys will never die, no matter what MS comes out with. Fact is that MS now has a good product out now and the fanboys are going to have a harder time getting people to switch.

FF Market Share will drop over the next year.

Re:There will always be issues

[Shados]

Its not like Firefox is 100% compliant either, so the reason your site works in all those browsers, is that (probably by reflex), you only used features that are supported by those. Obviously, IE7 sucks less than 6, but still sucks, so the odds that you hit something it didn't support were higher, and tada, you hit one. There are even a few CSS2 properties that virtualy no browser supports. So if you make a web site, and go by the -standards- and nothing else, you're in for a surprise. But you didn't. You went by the standards supported by most browsers, and of that, a few (ok, a lot), weren't supported by IE7. That is -very- different. You could use features supported by Firefox and not by Opera, or vice versa, and you'd end up in the same boat. Mind you, we're talking 95%+ support as opposed to like, 60% or something, but still.

Re:There will always be issues

[Shados]

IE7 is decent, but I don't think the people using Firefox are necessarly fanboys. When you come down to cold hard facts, Firefox is indeed better. Firefox also has one feature that makes it invaluable: At this point it is relatively mainstream (it doesn't have a huge market share, but it has a significant one anyway), and is cross platform. Thus, if you have a purely internal web application, yet your company has a variety of operating systems (Linux, Mac, Windows, etc), you can make a web app optimized for Firefox, not test it on -anything else-, and just tell people that, for this web application (let say, an ERP system), to use Firefox, and almost everyone can. That, in my opinion, is Firefox's greatest asset, and why, even if IE7 was the best browser ever, Firefox would still have a use. There are other browsers like that (like Opera), but they don't have the same mind share.

Re:There will always be issues

[99BottlesOfBeerInMyF]

Its not like Firefox is 100% compliant either, so the reason your site works in all those browsers, is that (probably by reflex), you only used features that are supported by those.

No one "by reflex" codes for every browser except IE. I just looked at W3C and followed the specs. IE simply does not follow the specs while every other browser does, at least for basic functionality like what I was using.

Obviously, IE7 sucks less than 6, but still sucks, so the odds that you hit something it didn't support were higher, and tada, you hit one.

Yeah, but this was comparing IE6 and IE7 to every other browser I can find. If all the others can manage to implement the standard, why hasn't MS managed? Is it just a coincidence that every feature I tried works in every browser except IE?

There are even a few CSS2 properties that virtualy no browser supports.

Sure there are, and lots of edge cases, but I'm not talking about weird features and esoteric edge cases. I implemented the basics of a standard that is six years old.

So if you make a web site, and go by the -standards- and nothing else, you're in for a surprise. But you didn't.

Yes, I did. I looked at the standard, and wrote a scripted process to generate that standard. I didn't run into any problems with other browsers not because they are perfect, but because they all made a reasonable attempt at following the standard and MS intentionally avoided doing so.

You could use features supported by Firefox and not by Opera, or vice versa, and you'd end up in the same boat.

Sure I could, if I was trying to do something more than some formatted text, hyperlinks, and graphics, but I wasn't. I was doing something that should have been dead simple and would be except for MS's intentionally broken browsers.

Re:There will always be issues

[Shados]

What doctype were you using? o.O basic formatting is part of CSS1, which IE7 as far as I know supports at 99.99999% or just about. The only "basic" feature that tends to give problems is div overflow, even in IE6, assuming you're using an XHTML doctype. In HTML 4 or quirk mode, its another story, and everything's broken.

Re:There will always be issues

[99BottlesOfBeerInMyF]

What doctype were you using?

I originally used the proper doctype, then switched to the transitional, loose HTML 4 work around in order to get it to parse in IE.

The only "basic" feature that tends to give problems is div overflow, even in IE6, assuming you're using an XHTML doctype.

IE6 and IE7 both puke when confronted with any real XHTML, in this case the use of namespaces. If you rely upon XHTMLs features that are identical to HTML 4, IE will render them, but if you use any real features you might as well give up.

Re:There will always be issues

[Shados]

I originally used the proper doctype, then switched to the transitional, loose HTML 4 work around in order to get it to parse in IE

That would do it. If you don't use at least XHTML transitional for your doctype, then IE uses the old, broken box model. That screws up everything. Not sure what you had issues with though, since uses XHTML 1.0 (sometimes 1.1), go through the validator peachy, and work in IE6 even. So why did you need to use HTML 4 is beyond me.

Re:There will always be issues

[99BottlesOfBeerInMyF]

That would do it. If you don't use at least XHTML transitional for your doctype, then IE uses the old, broken box model.

You misunderstand. The XHTML transitional doctype causes MS to parse the XHTML as HTML, which is what most people do, but XHTML supports namespaces (sort of the reason for using it) and HTML does not, thus IE renders it as HTML but ignores all the formatting info from the namespaces.

So why did you need to use HTML 4 is beyond me.

XHTML, according to the spec, is backwards compatible with HTML4 for gracefully degrading. IE 6 and 7 both (with the workaround doctype) will parse XHTML as though it was HTML 4. That is as close as IE comes to supporting XHTML. Try it yourself.

This has been discussed to death on various discussion groups and even the IE dev team admits they don't actually support XHTML, only the subset of it that happens to be HTML. When they announced improved XHTML support that is what they meant and they admitted it was misleading.

Re:There will always be issues

[Shados]

I am well aware of that. What I was trying to explain however, had jack nothing to do with XHTML itself, but with the way the doctype affects the standard compliance mode of IE, especialy its box model. If even -basic- features of CSS didn't render correctly in IE7, then you used a doctype that put IE in quirkmode. Again, this has nothing to do with actual XHTML support.

Before writting this post, I double checked, and one thing I wasn't aware of was that some HTML 4.0 doctypes do put IE in pseudo-standard compliance mode, and some XHTML doctypes put it in quirkmode, so maybe thats where the confusion stems. If there are -basic- features (like formatting text, etc) that IE7 barfs over when it is -not- in quirk mode, I'd like to know about them.

Re:There will always be issues

[99BottlesOfBeerInMyF]

If even -basic- features of CSS didn't render correctly in IE7, then you used a doctype that put IE in quirkmode.

Sigh, I said basic features of XHTML, not of CSS. Try this, following best practices, simply make an HTML page using CSS that matches up to namespaces within your document. That is pretty damned basic and every browser but IE handles it easily. IE does not and according to the developers that is because they did not get around to implementing XHTML pretty much at all.

You'll note, if you're already generating XML with namespaces, from a handful of different sources and tools like I am, simply turning it into valid XHTML is cake. Mapping all of it to individual HTML loses data, making it unable to be "round-tripped" and provides less flexibility with your CSS. Further it takes a lot more work and and at that point is no more functional than latex or something to PDF. Thus, IE fails for this fairly simple task while all other browsers handle it without issue. Since I'm in the wonderful position of not having to support IE, I don't in this case.

Re:There will always be issues

[99BottlesOfBeerInMyF]

I think IE7 is a great browser and really, the only people that wont use it are OS X people and nerds/geeks.

Both of these statements may be true, but it is important that you don't make the mistake of believing they are connected in any way. IE is and for years has been inferior to Firefox. It dominates the market because of MS's illegal actions, which is the same reason they have not bothered to fix such glaring, long standing problems as the one I pointed out.

Fact is that MS now has a good product out now...

Umm, good compared to what? Is there any other browser on the market that is not better than it? They have a product they hope is "good enough" so that people are not motivated enough to look for solutions to the problems IE creates for them.

FF Market Share will drop over the next year.

This is entirely probably, but it is because of MS's criminal actions bypassing the competition, not because IE can beat Firefox in a head to head comparison.

Parent =/= Troll

[MeanderingMind]

Who modded this troll? It's a perfectly legitimate point. He's not insulting the OP, it's a viable suggestion. While you could argue over whether its insightful, informative, or funny (given the comment on Lynx), this is by far not a troll comment.

What?

[rtobyr]

This is news?

Re:Firefox

[uss_valiant]

This is a new report of a old vulnerability which isn't serious.

How is it not serious? Just because Cross-Site Request Forgery (XSRF) isn't used as wildly as other XSS yet doesn't mean it's not as severe.

BTW: I tested the test script on secunia.com with IE7 Beta 2 and it said my browser is not affected by this vulnerability. Yet, JavaScript is enabled.

It would be great if cross-site XML HTTP requests would be forbidden completely in JavaScript. It wouldn't solve XSS completely, but at least some advanced versions of XSRF (POST requests via JavaScript, GET request and reroute reply to other server, ...).

Re:"Suprise, Suprise, Suprise" -- Gomer Pyle.

[chrismcdirty]

I like how Firefox originally started as the slimmer, less resource-intensive version of Mozilla. And look where it is now.

FireTroll or TrollFox... nope, just a good idea

[h2g2bob]

It's a little harsh to call that a troll.

It's a serious point. You could make a lite version. Lots of people would give it a try, me included. And there have already been forks of Firefox, like IceWeasel and Tor Park.

If it were talking about forking IE, it should be labeled "joke". As it's talking about Open Source stuff, it should be "insigtful".

Re:Firefox

[MobileTatsu-NJG]

"Do Firefox fan boys get a nickel everytime they defend firefox?"

What's sad is you'd think by now, after several exploits in FF have been uncovered, even FireFox fan boys would realize "oh, yeah, writing a browser's reallying f'n hard".

Re:Firefox

[manwal]

Do Slashdot fan boys get a nickel everytime they defend slashdot? Honestly, this website fan boy war needs to end, we are more civilized. Besides, if slashdot had as many users as digg.com, im sure their would be stupid fan boy comments popping up from left to right on slashdot.

Not poor programmers?

[www.sorehands.com]

These days it seems as though many programmers don't know assember. They don't know what it is program with limited amounts of memory and how to write tight and fast code. Part of it may be marketing checklists, but some of it is ignorance and lazyness.

Re:Not poor programmers?

[Viol8]

True , but also I think a lot of the blame can be laid at the
door of bloated generic C++ APIs that people use because they're too
lazy and/or stupid to roll their own code which would take a bit
longer but save a lot of overhead.

Re:Firefox

[superbeer]

I may be confused, but doesn't client site http requests done in this fashion only allow content from the domain the page itself is in? If you view the source of that test page the request is being made to "http://secunia.com/ie_redir_test_1", if you paste that url into a browser it looks like that is page is just dynamically pulling the google news.

Brillant Link.

[Bake]

Took me all of 3 seconds Googleing for "brillant site:thedailywtf.com".

Paula's Brillant Bean:

http://thedailywtf.com/forums/40043/ShowPost.aspx

Re:Firefox

[stfvon007]

Ha ha! im the safest of you all! I use wget to download it to an encrypted file, then view it with a hex editor, decrypting it in my head!

*starts coughing*

CRAP! My brain got a virus!

Re:Firefox

[kwark]

telnet allows terminal escape sequences to be send to the terminal:

http://marc.theaimsgroup.com/?l=bugtraq&m=10461271 0031920

Doesn't affect IE7 on Vista RC1

[SnprBoB86]

I'm running some beta of IE7+ on Vista RC1 (I haven't had time to upgrade to RC2 yet). The vulnerability test shows that this browser isn't vulnerable.

Re:Firefox

[samnice]

i couldn't agree more. Nerdom Unite! if you see a story on M$ and you hate them, then try to post something informative to help folks like me understand what the problem is. you don't need to remind me that they are a heartless corporate juggarnaught or that run hoary hedgehog on your whitebox or you have never gotten a virus because you are cool mac user.
and if you are a moderator, please mod these things down, or at least don't mod up. i know humor is relative, but after a few posts of "that was fast?", or "that's news?" maybe we can stop modding things as funny and go for redundant.
my own opinion is that that some things work better on ie. its just a fact. my default browser has been FF since tabbed browsing, and also to support their work, but now that ie has some of that same functionality, i am using it even more because i tend to go to it for a few sites that i use for work that demand it. security hasn't been an issue with either browser (nor was it when i used Maxthon, or Opera).

Eh?

[Fallen+Mongoose]

I guess it's a canadian mother.

Re:Firefox

[morgan_greywolf]

I don't see what this "web technology" can do that a newspaper can't.

Video pr0n.

Is this a bug?

[bot24]

As seen with Webkit.

Server: Apache
Location: mhtml:http://secunia.com/ie_redir_test_2
Keep-Alive: timeout=5
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

Webkit cannot open this address, and the script breaks. Nothing appears in the results field.

Re:Firefox

[alx5000]

Right click.... Oops, that was Macs...

Re:Firefox

[sankazim]

Actually if you check better what is going on at the HTTP level you find the bug. Just look at it using wget

Request: http://secunia.com/ie_redir_test_1
Answer: 302 with Location: mhtml:http://secunia.com/ie_redir_test_2

where MHTML is a special mime for storing a full web page in a HTML file. Then
the browser peforms the redirection

Request: http://secunia.com/ie_redir_test_2
Answer: 302 with Location: http://news.google.com/

finally a good browser should stop the forwarding because of the different domain, but
instead IE gets confused and grabs the external resource.

IE7 hangs on CTRL+W

[ss122_ry]

Okay, so it hangs if I just launch it and press CTRL+W. Anyone else experience this?

Using Vista RC1

[Utopia]

The Secunia test says I am not vulnerable with Vista RC1

Vista RC1 was released almost a month ago.
So I am surprised this new XP IE7 build still exibits this issue.

Looking at the source, I suspect this is not a IE issue at all, instead this is a MSXML issue.
Vista has anewer version of MSXML.
XP IE7 seems to be using the older version.

Re:Using Vista RC1

[Merle+Darling]

Yeah, it says I'm invulnerable too, I'm using Vista RC2. Go figure.

Oh, sorry, this is Slashdot.. ROFFLECOPIER MS IZ TEH SUX LOL !!1

Re:Using Vista RC1

[Worminater]

cooling breeze among the flames; mod parent up

I agree!

[thepotoo]

Parent is SOOOO not a troll.

Re:Firefox

[gkhan1]

He has made 291 comments in the past. He has a number of fans and a number of freaks. He has made comments that some people like and some people don't like, and no matter what he stands for it, by using his account. You're a coward because you make trollish comments and don't have the balls to stand for what you say. You're worried that some people might use your comments against you in a future discussion, or you're worried that this might harm your karma.

The difference? He's a man that's not afraid to stand by what he said, you're a small boy that runs around a creates a mess and then blames some one else. If you have any sort of backbone and not a spine made of jello, you should reveal your username. No? I figured you wouldn't.

This is not a new exploit

[NetNinja]

If you go to the website and run the vulnerability checker you will find I.E. 6 has the same problem.

So to raise the sky is falling alert is premature in a sense, but any bad news is good news to alert people to the exisiting fact that I.E. is unsafe at any version.

Doesn't work on Vista

[DigitlDud]

The exploit fails running on IE7 in Vista with protected mode.

Re:Doesn't work on Vista

[The+MAZZTer]

One of my friends says the vulnerability isn't in IE7, it's in XP and IE7 just sorta provides an access point to it. Vista does not have the vulnerability.

He probably meant it's an ActiveX control (as usual) that Vista either doesn't implement or has redone or fixed.

Also IE7 Final isn't out for Vista yet. My friend thinks it'll be available on Windows Update for Vista shortly.

THIS JUST IN!!!

[wwiiol_toofless]

didn't see that coming... nope.

THE PROBLEM WAS FIXED!

I went to the site and found out that the bug wasn't working! Then I looked and saw that I opened up Firefox instead of IE7.

[off topic] - tortoise SVN

[Pope+Raymond+Lama]

Sorry for the OT, but I have some work to get going for a change.
Does any of you who have tried IE7.0 use Tortoise SVN extensions?
Does it keep working fine after IE 7 install?

Thanks.

Re:[off topic] - tortoise SVN

[crackervoodoo]

I'm using TortoiseSVN (ver 1.4.0) and haven't had any problems (yet) after installing IE7. Of course, I haven't done any real dev copies (branches) yet. But, commits, checkouts and updates seem fine.

bell-style

[lullabud]

If you're using bash, try set bell-style visible in your ~/.inputrc. ;-)

So much for "more secure"?

[Trillan]

Dude, 24 hours is more secure for Internet Explorer.

Re:Memory leaks

[bunratty]

MS has neglected several areas, one being the whole JavaScript area where IE still leaks memory like a sieve.

That's no problem. See, Microsoft wrote this real nice article explaining how we can change all the JavaScript code on the web to work around its leaks. Get to work web developers!

The problem with the "90% only used by 5%" rule

[the+frizz]

I often see statements like "I'd wager 90% of the functionality for X is only used by 5% of end users.", with the implicit assumption is that you could remove 90% and only upset 5% of the users.

Unfortunately the math is not that simple. Quite often single users do only use 5% of the features, but it not always the same features for all users. So its possible that when you remove the least used features to get almost every user lose at least one feature they must have. What users really mean is: "I only use 5% of the features and I don't want to be affected by the ones I don't use." And "not effected" applies to UI design and security.

A system of minimal core functionality, plus opt-in, add-on plugins is a solution for this. The concept is applies to operating systems (e.g., microkernels like QNX) as well as applications. I'm not familiar with it, but I hope FireFox designed their plugin interface with the right balance of security and flexibility to achieve this.

Re:The problem with the "90% only used by 5%" rule

[HeroreV]

I'm not familiar with it, but I hope FireFox designed their plugin interface with the right balance of security and flexibility to achieve this.

In the world of Firefox, "plugins" and "extensions" are different. I don't know about plugins, but extensions can do just as much as Firefox can. They have the exact same credentials. Extensions can even include and call on binary dynamically-linked libraries.

Re:Actually, what's wrong with http? its overloade

It's funny to see how snotty the purists get when their tech is hacked and abused to do things it wasn't "intended" to do. Especially when these same folk revel in doing it to other things.

Seriously, get with the fucking program - the people have spoken and this is what they want. No one gives a fuck all about HTTP being for text only. Shut up or get off.

Re:"Suprise, Suprise, Suprise" -- Gomer Pyle.

[finkployd]

"Fool me once, shame on you. Fool me twice, shame on me." -- Scotty.

This is all wrong, that is an old Texas saying (I believe they have it in Tennessee as well).

"Fool me once, shame on....shame on you....fool me you can't get fooled again"

Finkployd

Which version?

[Greyzone]

I just tested Firefox 1.5.0.7 and it is not vulnerable.

So just what version are you discussing here?

Come on

[kahrytan]

What did you expect people? Of course IE7 vulnerabilities! It is IE after all.

easier and secure

[bigmauler]

"you wanted it easier and more secure"....sounds like bringing a gun when picking up a hooker.

Yet Another Reason...

[TemporalBeing]

Yet another reason not to stay logged into websites all the time. From the vulnerability tester (which also deems IE6 vulerable):

This actually means that if you were logged into your bank account, any web site you are visiting would be able to retrieve confidential data from your bank. This could also be used to retrieve personal settings entered on sites like eBay or Paypal.

Slashdot is perhaps the only site I keep a constant login to, but I also don't store any personal information on Slashdot either. I do shop on Amazon.com and do a few other things, but always make sure I logout (which is a pain on Amazon.com since you have to go through the site until you find a 'not ? Go here' type of hyperlink).

Stay logged in and let your data be vulnerable...

Or, better yet, login only when you need to and keep your data relatively safe.

Re:Firefox

[miskatonic+alumnus]

my own opinion is that that some things work better on ie. its just a fact.

For example: html composed with Frontpage.

WOW THIS LOOKS WRONG.

[AgNO3]

OK just installed ie7 click the google add more buttons, button. Cause you can never have to many menu bars and buttons. (I kid) But the google toolbar seems to have an icon for KayzerNet that is exactly the slashdot icon. Well the button is a green /. http://www.google.com/tools/toolbar/buttons/galler y?sourceid=navclient&hl=en

Current update

[TomatoMan]

DAMN KIDS! STAY AWAY FROM MY TUUUUUUUUUUUUBES!

(and here is some lowercase text to make the lameness filter ecstatic)

As has been pointed out - it is already fixed.

[Tran]

Unlike this exploit for IE that has been around foever. Learn to read.

Re:Firefox

[orgelspieler]

that, too, can be done in print, thanks to the magic of flipbooks.

Re:Firefox

[RootWind]

I believe he might be referring this one: http://secunia.com/advisories/20442/

Some more reality on Bulky

[blazerw11]

Download Size:
IE7: 14.8MB
FF1.5: 4.9MB
FF2RC3: 5.6MB
HD Space Needed:
IE7: 87MB to 218MB*
FF1.5: 52MB
FF2RC3: 52MB**

*These values for IE7 are listed under the "Memory" title. Does it mean computer memory required or hard drive space? If it IS memory required, who has 87MB installed? Is MS just perpetuating the misunderstanding between hard drive space and memory?

**These values for FF2RC3 came from the same specs page as FF1.5, the FF2RC3 download page linked to it though.

Never been to that site

[Stan92057]

How can it read the contents of the news.google.com if i have never been there?? I only use google to search not anything else?? what am i missing here?

Re:Firefox

[towsonu2003]

that one seems to be fixed:

Mozilla Firefox 1.5.0.4, Mozilla Suite 1.7.13, Mozilla SeaMonkey 1.0.2, and Netscape 8.1 and earlier allows user-assisted remote attackers to read arbitrary files by tricking a user into typing the characters of the target filename in a text box and using the OnKeyDown, OnKeyPress, and OnKeyUp Javascript keystroke events to change the focus and cause those characters to be inserted into a file upload input control, which can then upload the file when the user submits the form.

(from the CVE link in there)

What about that IE7 registry key to block setup?

[HalfOfOne]

Anyone else notice that the registry key that was touted as preventing the IE7 upgrade doesn't do jack?

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\7.0]
"DoNotAllowIE70"=dword:00000001

I had thought it would categorically deny even the downloaded setup file, not just setups that were (eventually) launched from inside WindowsUpdate.

Re:Actually, what's wrong with http? its overloade

[jacksonj04]

HTTP does not at any point render Flash. At all. Ever. It may be used to send a binary .fla file which is rendered at the far end though.

It transfers all kinds of files, get over it. I'm not going to waste time sending image requests over FTP.

Re:And Opera...

[j79zlr]

Maybe nobody is gloating over it because it was patched in version 9.0.2 which was released almost a month ago.

Re:Firefox

[kintin]

Or hv3. It's got CSS compliance that passes Acid2, 90% frame support, and no Javascript or Flash support. The only negatives are it's a little alpha-y (background tabs block the whole UI, etc.) and there's no HTTPS support. It's rather lightweight, however, and actively developed. I use it on my Thinkpad 233MHz no trouble.

I'll use elinks for GMail and my bank website because it handles HTTPS. Using plain links for regular web browsing pales in comparison. Even w3m or dillo do better than that. And, if I'm not mistaken, Lynx is only used at libraries without funding, at universities with a documentation/knowledge base system build around it, and for users with disabilities. Well, I guess you can script with it...

Its not true

[Ultragames]

Here is the line of code they use to get the source of the said 3rd party page: request.open('GET', 'http://secu'+'nia.com/ie_redir_test_1/?' + Math.random(), true); Here is why this 'bug' does not do what they say it does: The browser does not allow AJAX style connetions to any domain outside of the one you are currently on. To 'get around this' Secunia has connected to a page on thier server which then goes and gets the code. Probaly using a readfile command. Here is why this is NOT a browser bug: The page that they are calling is on thier server which means that it does not have your cookies or your session data. The server page that they are opening can only view the page from the stand point of an not-logged-in user. This isn't a new trick that Secunia just invented, it is used quite often to get data from other websites. But the only way to log into another website in this manner is the have the server side page open a socket into that 3rd party page. This cannot be done, again, because their server does not have your cookie data. This is not a browser bug.

Re:Its not true

[julesh]

That's not actually what they're doing. Try connecting to that address. Here's what you get:

Trying 213.150.41.226...
Connected to secunia.com.
Escape character is '^]'.
GET /ie_redir_test_1 HTTP/1.1
Host: www.secunia.com
Connection: close

HTTP/1.1 302 Found
Date: Thu, 19 Oct 2006 19:30:39 GMT
Server: Apache
location: http://secunia.com/ie_redir_test_1
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

0

They're sending an HTTP redirect, and the browser's following it. It will then send the cookies for the redirected URL to the server, and the server will return data expecting it to go into its own security context. This does allow data stealing.

Re:Its not true

[julesh]

Actually, ignore the posted session transcript, it's a double stage redirect:

jules@vengeance:~/public_html/sb2WorkArea/newadmin > telnet secunia.com 80
Trying 213.150.41.226...
Connected to secunia.com.
Escape character is '^]'.
GET /ie_redir_test_1 HTTP/1.1
Host: secunia.com
Connection: close

HTTP/1.1 302 Found
Date: Thu, 19 Oct 2006 19:32:32 GMT
Server: Apache
Location: mhtml:http://secunia.com/ie_redir_test_2
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

0

Connection closed by foreign host.
jules@vengeance:~/public_html/sb2WorkArea/newadmin > telnet secunia.com 80
Trying 213.150.41.226...
Connected to secunia.com.
Escape character is '^]'.
GET /ie_redir_test_2 HTTP/1.1
Host: secunia.com
Connection: close

HTTP/1.1 302 Found
Date: Thu, 19 Oct 2006 19:33:04 GMT
Server: Apache
Location: http://news.google.com/
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

0

Connection closed by foreign host.

Comments at end of post still apply, though.

Re:Its not true

[oasisweb]

The browser does not allow AJAX style connetions to any domain outside of the one you are currently on. To 'get around this' Secunia has connected to a page on thier server which then goes and gets the code. Probaly using a readfile command. Here is why this is NOT a browser bug: The page that they are calling is on thier server which means that it does not have your cookies or your session data. The server page that they are opening can only view the page from the stand point of an not-logged-in user.

Yes, that would be great if it actually worked like you say (that is, like it's supposed to). Problem is, if Secunia doesn't have my session and cookies for google news, why is it that the news.google page they're showing me displays me as logged in, complete with my custom channels and personalizations, and my e-mail, and, one click away, my search history?

Re:Its not true

[MikaelC]

No, Their server does not directly fetch information from news.google.com. They use a double redirect (the last one using a MHTML prefix) which wrongly transmits your google session cookie to news.google.com (a cross domain vulnerability). It is easy to check: first log in using your google account at news.google.com, and then try the Secunia test. If your system is vulnerable, you will find that your google username is present in the 'view retrieved content' (because it is displayed on the page, if and only if you are logged in). Try it.

Re:Firefox

[Rinzai]

Yes, maybe, but wouldn't the script have to know where you were logged in to do anything? How could the script reach across tabs or instances in order to figure out what to log into in the first place? The security rules prohibit that sort of thing. This test shows that there's still an issue with the mhtml thing, but there aren't any practical examples of actually getting to some site to which I am logged in a different tab or instance. Anybody can get to Google News.

I call shenanigans on this because of how contrived it is.

If they had somehow actually gotten content from a site I had running in another tab--but no. They didn't.

Let's stick with lynx-ssl or links...

[technicalandsocial]

http://www.securityfocus.com/bid/19181 It's not like Mozilla suite is untouchable either.

And for the people that voted my post yesterday as "redundant" without trying the URL, Microsoft has retaliated by releasing a new version of IE7 available at http://www.ie7.com./

RE: Lunch... Re:Yawn.

[22FF001100]

M&M's + RedBull?

Re:Firefox

[sponga]

I was thinking and to take in effect that IE7 was released on Vista a long time ago; they have probably had time to work on the bug since beta of IE7 or got it off RC1 on Vista. The headline is just screaming for attention though.

MS

[certel]

Wow. That is complete embarrassing...

Re:"Suprise, Suprise, Suprise" -- Gomer Pyle.

[Mister+Whirly]

Everytime I see that quote, I picture Dubya, can of Coors in one hand, heavy metal horns upraised in other, rocking out to The Who...

And then I get the willies...

Re:"Suprise, Suprise, Suprise" -- Gomer Pyle.

[finkployd]

Everytime I see that quote, I picture Dubya, can of Coors in one hand, heavy metal horns upraised in other, rocking out to The Who...

I would vote for ANY presidental candidate who does this. If only because it really does not matter so much which of the two gets into power anymore, it really ought to be the one who don't NEED no instructions on how to rock.

Finkployd

Re:"Suprise, Suprise, Suprise" -- Gomer Pyle.

[Mister+Whirly]

Heh, I believe the instructions on "how to rock" came with his 8 ball...Or was that instuctions on "how to make rock"??

Re:Firefox

[oasisweb]

Yes, anybody gan get to Google News. But not anybody can get to Google News logged in as you (Well obviously now they can, but they shouldn't be able to, anyway). If you login to Google in a different window (either through GMail, Google IG, or some other Google service), and then test this script, you will see that the data it returns to you will show you logged in. It doesn't need to know if you're logged in to anything. It just needs to wait for the average Joe who happens to be logged in and executes the script.

The vulnerability is real and exploitable. I do not understand why they didn't fix it as it was clearly already disclosed in April.

Sounds like fud to me

[nmosfet]

I've tried it on Vista (at work) along with XP with IE7 previously installed via WU and with a version I just installed though the download from microsoft. In all three cases I get the message "Your browser does not appear to be vulnerable to this particular exploit"

Is this website trying to capitalize on increased traffic by announcing a fake IE7 exploit or did MS just fix it incredibly fast? Based on MS' past history, I'm guessing the former.

Sanity =/ Knowledge

[ukemike]

But every sane person in the world already has Internet zone security level set to High so who is gonna be affected by this?

Education on computer security issues does not follow directly from sanity. There are plenty of perfectly sane people who wouldn't know an "internet zone security level" if you smacked upside the head with it.

The reason that computer security matters is not to safeguard MY pc from attack it's to safeguard the computers of idiots from attack so we don't have multitudes of zombie networks being controlled by organized crime.

Re:"Suprise, Suprise, Suprise" -- Gomer Pyle.

[finkployd]

I was going for an obscure aqua teen hunger force reference, but you took it to a whole new level. Zing! :)

Finkployd

I tried it. Vulnurable

[YesIAmAScript]

My XP SP2 machine is up to date, and I installed IE 7 today. The test at that link reports that it is vulnerable.

Re:Firefox

[asylumx]

ok, here you go: http://secunia.com/advisories/12580/

not vulnerable on Vista?

[dioscaido]

I ran the test code on IE on Vista RC2, and it did not succeed. 'your browser does not seem to be vulnerable to this particular exploit' is what I get.

Not necessarily that bad...

[ilovegeorgebush]

The bug is in IE6 too, so it could be blamed as a legacy issue...

But how does it work?

[AceCaseOR]

I read TFA and I didn't see anything there explaining how the bloody vulnerability works. I don't speak JavaScript too well, so if someone could explain how the security hole does what it does, it would be appreciated.

Re:Firefox

[Sepodati]

Did either of you actually read through the bug report on Bugzilla, or did you just link to something old? The first bug is actually a strict following of the RFC for cookies. Since it can be exploited if web sites do not set and check their cookies correctly, people are expecting Mozilla to have the browser fix it for them.

For just an example of how much of a pain this check is, consider the following from the Bugzilla page. This is just for one domain and the same type of rules would need to be white/black listed within the Mozilla source code in order for any fix to work for this "bug".

> I'm not sure what to do with .jp. Specify that any .jp domain can't set a cookie > for a parent domain? .jp domain can set cookies for 2nd level domain. For example, http://www.ntt.jp/ can set for ".ntt.jp" cookie. Ofcourse, cannot set for ".jp".

But following domains must not be able to set cookie to 2nd level.

ad.jp ac.jp co.jp go.jp or.jp ne.jp gr.jp ed.jp lg.jp

And following geographic type domain domains must not be able to set for 2nd and 3rd level.

hokkaido.jp aomori.jp iwate.jp miyagi.jp akita.jp yamagata.jp fukushima.jp ibaraki.jp tochigi.jp gunma.jp saitama.jp chiba.jp tokyo.jp kanagawa.jp niigata.jp toyama.jp ishikawa.jp fukui.jp yamanashi.jp nagano.jp gifu.jp shizuoka.jp aichi.jp mie.jp shiga.jp kyoto.jp osaka.jp hyogo.jp nara.jp wakayama.jp tottori.jp shimane.jp okayama.jp hiroshima.jp yamaguchi.jp tokushima.jp kagawa.jp ehime.jp kochi.jp fukuoka.jp saga.jp nagasaki.jp kumamoto.jp oita.jp miyazaki.jp kagoshima.jp okinawa.jp sapporo.jp sendai.jp yokohama.jp kawasaki.jp nagoya.jp kobe.jp kitakyushu.jp

For example, http://www.city.shinagawa.tokyo.jp/ can set a cookie for ".city.shinagawa.tokyo.jp". But must not be able to set for ".shinagawa.tokyo.jp", ".tokyo.jp" and ".jp".

Exceptionally, only following domains should be able to set cookies for 3rd level.

metro.tokyo.jp

pref.hokkaido.jp pref.aomori.jp pref.iwate.jp pref.miyagi.jp pref.akita.jp pref.yamagata.jp pref.fukushima.jp pref.ibaraki.jp pref.tochigi.jp pref.gunma.jp pref.saitama.jp pref.chiba.jp pref.kanagawa.jp pref.niigata.jp pref.toyama.jp pref.ishikawa.jp pref.fukui.jp pref.yamanashi.jp pref.nagano.jp pref.gifu.jp pref.shizuoka.jp pref.aichi.jp pref.mie.jp pref.shiga.jp pref.kyoto.jp pref.osaka.jp pref.hyogo.jp pref.nara.jp pref.wakayama.jp pref.tottori.jp pref.shimane.jp pref.okayama.jp pref.hiroshima.jp pref.yamaguchi.jp pref.tokushima.jp pref.kagawa.jp pref.ehime.jp pref.kochi.jp pref.fukuoka.jp pref.saga.jp pref.nagasaki.jp pref.kumamoto.jp pref.oita.jp pref.miyazaki.jp pref.kagoshima.jp pref.okinawa.jp

city.sapporo.jp city.sendai.jp city.saitama.jp city.chiba.jp city.yokohama.jp city.kawasaki.jp city.nagoya.jp city.kyoto.jp city.osaka.jp city.kobe.jp city.hiroshima.jp city.kitakyushu.jp city.fukuoka.jp (Additionally, city.shizuoka.jp will start in Apr 2005.)

For example, the site "http://www.metro.tokyo.jp/" should be allowed to set a cookie for ".metro.tokyo.jp". Ofcource, It's not allowed to set for ".tokyo.jp." and ".jp".

If it says simply, "GEOGRAPHIC.jp" cannot set a cookie to the 2nd and the 3rd level. However, "(metro|pref|city).GEOGRAPHIC.jp" can set a cookie to the 3rd level. "XX.jp" cannot set a cookie to the 2nd level. The other ".jp" can set a cookie to the 2nd level.

The above "XX" are "ad, ac, co, go, or, ne, gr, ed, or lg".

The above "GEOGRAPHIC" are "hokkaido, aomori, ... kitakyushu".

---John Holmes...

Doesn't anyone here even realize?

[TheNetAvenger]

All these posts and I haven't found one yet that even 'realizes' what the problem is, why it doesn't exist in Vista and why it continues to exist in IE7 for XP.

The flaw is in Outlook Express and not IE7. This is why the IE7 update made no difference and why the problem does not exist in Vista even though IE7 is is used.

Also the way they are reporting the bug is a bit off on what is happening and why it is happening.

Re:Doesn't anyone here even realize?

[jseale]

No shit! Outlook Express should be re-branded if not blown off the face of the earth all together. Thunderbird has won the all-in-one messaging app battle and it sure as heck gets along just fine with IE amd Opera.

Re:Doesn't anyone here even realize?

[TheNetAvenger]

No shit! Outlook Express should be re-branded if not blown off the face of the earth all together. Thunderbird has won the all-in-one messaging app battle and it sure as heck gets along just fine with IE amd Opera.


I agree... Going back as far was Windows Mail in Win95, MS has made some stupid decisions. Outlook Express was an improvement and was ok for its time, but that was 8 years ago.

I can remember when I was in the Win95 beta, and I blasted the Product manager for the 'universal inbox Windows Mail', he apologized and admited they royaly feked up...

I have more money now, so I tend to stick with the real Outlook. I have moved from various mail clients over the years, but now have a bit of ease of use and confidence in Outlook. (If any team at MS does good work it is their Office team.)

I have been screwed by Eudora and many other too many times. (Besides Eudora is such a pig for the amoutn of mail I deal with. I have a 12gb personal store of messages, and get a few hundred a day of real mail with large attachements.)

Re:"Suprise, Suprise, Suprise" -- Gomer Pyle.

[smash]

Micorosoft have been patching security for years. They now claim, "Security is job one." Do you believe it? Why would you? I would not trust IE unless it is rewritten from scratch. There is only so many patches you can do.

On the contrary, i would make the additional caveat that i would not trust IE unless it was re-written from scratch *by someone with a good security track record* and peer reviewed. Simply being a re-write won't necessarily make it any better.

There's no limit to what patches can do, you just have to be aggressive with your modifications.

Posted from IE7 on XP SP2, checked as vulnerable (I am at work and using this as a guinea pig machine) :D

Ballmer changed the slogan from ..

[mr_death]

... "you wanted it easier and more secure" to "you wanted it, good and hard."

Discovered???

[zero_offset]

It was known in IE6. It's hardly accurate to say it was "discovered" in IE7.

Re:Actually, what's wrong with http? its overloade

[colfer]

Gopher could present images, sound, etc., as well as those gopher menus and text pages. I used it on a NeXT!

Re:Firefox

[notnAP]

You ever try to operate a flip book with one hand?

Re:Memory leaks

[erlando]

I'm aware of the article.. :-) IMO they should spend more time fixing the problem than writing about it.. ;-)

Ridiculous (not on Microsoft's part)

[kidMike]

What bugs me is that this vulnerability wasn't "discovered" once IE7 was released; more than likely, these people knew the bug existed in IE6, and in the IE7 betas, they waited until IE7 was declared Gold, then went to press! If they acted correctly instead of trying to grab headlines, they would have notified MS in advance, to allow an opportunity to correct it. Not absolving MS by any means, but this seems awfully self-serving be the "security researchers"...

Re:AC or Lazy?

[gkhan1]

Are you seriously saying that logging in to websites is hard? Every single person on MySpace, not really a place for intellectual discourse, can do it. Why can't you? Is it so hard to click "remember me" when you go to a website? Is it so hard to have your browser save your password? Is it really that hard to remember them?

If it's that much of a bother to login to a website, you are not lazy, you are stupid. Simple as that.

Re:Firefox

[gkhan1]

The difference is that you're a troll. He isn't. Sure, the system can be abused, but that vast majority of people don't abuse it. You do, and therefore you are an asshole. You are just proving the posters thesis: you can't be trusted with any of your comments. He was right. You just proved him right.