Slashdot Mirror

← Back to Stories (view on slashdot.org)

Patch Tuesday — IE7 Clean

Posted by kdawson on from the patchwork-quilt dept.

jginspace writes "As per the advance notification, Microsoft's monthly security bulletin, released yesterday, addressed five general Windows issues and one in Visual Studio. It also included a fix for a problem in Outlook Express for a total of seven updates. As patch Tuesdays go it was fairly unremarkable. The only general Windows update labeled 'critical' is for a flaw in Media Player. As usual, there's a cumulative update for Internet Explorer, but significantly, the only versions of IE affected are 5 and 6. Version 7 is clean — which is welcome news in this first update since the upgrade was pushed to the world last month. Microsoft was silent on the two zero-day Word holes, one reported here and a new one. Sans is calling this 'Black Tuesday' and recommends patches be applied urgently for the Visual Studio and Media Player vulnerabilities. Sans is recommending the Heise Offline Update utility covered in a previous story."

75 comments

  1. IE7 really clean? by jginspace · · Score: 4, Insightful

    Would I be trolling here if I wondered out loud: Did Microsoft really not find and fix anything with IE7 during the last month that they considered worthy of pushing out with this latest bulletin? Consider that this is the first set of updates since IE7 was pushed out to the whole world and how the inclusion of a patch for IE7 would be met with a jaundiced 'business as usual'. I suppose Microsoft just can't win on this can they?

    1. Re:IE7 really clean? by ComaVN · · Score: 1

      I predict a zero-day exploit for IE7 by tomorrow.
      *any* new piece of code has bugs, no matter how good the development team.

      --
      Be wary of any facts that confirm your opinion.
    2. Re:IE7 really clean? by djupedal · · Score: 1

      You're not alone in your speculation. Leave it to an MS troll to slant non-news away from a non-event.

      It is more that IE7 by default is put on the backburner in terms of any kind of update activity, simply because it has only been out a month. Doesn't mean it is clean, and certainly doesn't mean anything significant, by any means.

      I'm willing to give MS a month breather, but I'm not willing to give a pass to the clean story, at all.

    3. Re:IE7 really clean? by Anonymous Coward · · Score: 0

      Unless it's Firefox, of course. At least that is the conventional wisdom here.

  2. But I installed Outlook Express 2 years ago? by Anonymous Coward · · Score: 1, Interesting

    I uninstalled Outlook Express around 2 years ago using "Add/Remove Windows Components".

    However, Windows/Microsoft Update keeps applying patches for "Outlook Express".

    I'm sure that if I searched my drive for Outlook Express (or the correct search pattern), I would find that Windows never really uninstalled Outlooked Express. Lies lies lies!

    1. Re:But I installed Outlook Express 2 years ago? by phrasebook · · Score: 2, Informative

      Yeah, just the shortcuts are removed. Ditto Movie Maker, Messenger, Media Player, IE and probably others.

    2. Re:But I installed Outlook Express 2 years ago? by flyingfsck · · Score: 1

      You don't have to search very far - just have a quick look-see in c:\progra~1

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
    3. Re:But I installed Outlook Express 2 years ago? by oliverthered · · Score: 1, Informative

      If you clicked uninstall and the application failed to uninstall all of it's components then I'd say you own those components compleatly.
      Please GPL Outlook Express for us.

      --
      thank God the internet isn't a human right.
    4. Re:But I installed Outlook Express 2 years ago? by 0racle · · Score: 1

      What does it feel like to find out what everyone else knew? This is documented behavior.

      --
      "I use a Mac because I'm just better than you are."
    5. Re:But I installed Outlook Express 2 years ago? by Anonymous Coward · · Score: 0
      > What does it feel like to find out what everyone else knew? This is documented behavior.

      Fine, but that doesn't answer the GP's real question which is the same as my question: "what's the magic spell to turn off protection and wipe every frackin' OE DLL off every place on the hard drive that they're copied for once and for all?"

      When I have root, and I remove a file from a directory, and from a DLL cache, and from the local /i386 copy of the install media, I bloody well expect it to stay removed for more than a second or two. Why do I have lower privileges on my own fucking system than the fuckers that write the viruses that my luser employees always keep picking up?

    6. Re:But I installed Outlook Express 2 years ago? by cp.tar · · Score: 2, Funny

      You really want to bring down Open Source, don't you?

      There's a reason no-one has done that yet.

      --
      Ignore this signature. By order.
    7. Re:But I installed Outlook Express 2 years ago? by Anonymous Coward · · Score: 0

      Have you ever heard of the registry, all info about progs gets stuck in the registry even when you uninstall them, use a registry cleaner, your computer might run faster too.

  3. Damn. by sporkme · · Score: 2, Insightful

    What a headline... I thought for a second there that they had recalled IE7.

    I assume that only security vulnerabilities will be patched in XP's IE7 until Vista is on the same update schedule as XP. These patches will be fashionably late and will only address the most severe issues with the browser, and that simple compatibility glitches will go unanswered. Once Vista is really rolling along there will be more consistency.

    --
    FairTax baby!
    1. Re:Damn. by sanyam_y · · Score: 1, Redundant

      Does this really qualify to be a headline? To ensure that any news receives maximum hits, all that one needs to do is to include one or all of the following keywords: Microsoft, Gates, Ballmer, Vista and IE7.

  4. clean != free of "critical" updates by Vandil+X · · Score: 1

    I fully assume that IE7's phishing filter, like Outlook 2003's Junk Mail Filter, will receive monthly updates from Microsoft to keep it up to date with the latest phising "heuristics".

    Depending on your WSUS server's settings, Outlook 2003 Junk Mail Filter updates (and likely IE7 phishing filter updates) may appear as "Critical Updates" despite not actually being security patches for %0-day_exploit_01%.

    --
    Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
    1. Re:clean != free of "critical" updates by Osty · · Score: 5, Insightful

      I fully assume that IE7's phishing filter, like Outlook 2003's Junk Mail Filter, will receive monthly updates from Microsoft to keep it up to date with the latest phising "heuristics".

      Actually, IE7's anti-phishing technology is server-based. The judgement of a URL as "phish" or "non-phish" is done completely outside of your browser, outside of your own PC even, so there's no need for heuristic, signature, or filter updates to be pushed to users.

    2. Re:clean != free of "critical" updates by Keeper · · Score: 1

      They maintain a local whitelist of "sites that definately aren't phishing sites". However, I believe they update that via some sort of background mechanism in IE and not via WU.

    3. Re:clean != free of "critical" updates by rbochan · · Score: 3, Insightful

      So... every single web site you browse is monitored by a Microsoft server? Yipe. I bet DHS _loves_ that "feature". Can you turn it off?

      Even sounds a bit like spyware...

      [adds another layer to tinfoil hat]

      --
      ...Rob
      The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
    4. Re:clean != free of "critical" updates by Anonymous Coward · · Score: 0

      So... every single web site you browse is monitored by a Microsoft server? Yipe. I bet DHS _loves_ that "feature".

      Microsoft would never use this information for any kind of marketing purpo...I mean release it to the Department of Homeland security.
      Microsoft would never use it to profile you as an individual. We promise. Really.

      Can you turn it off?

      Well, you can turn it "off" in the GUI, but the DHS don't mind if you know what I mean.

    5. Re:clean != free of "critical" updates by Sancho · · Score: 4, Informative

      It asks you by default, and gives you the option to disable the feature when it does.

    6. Re:clean != free of "critical" updates by PsychicX · · Score: 1

      The URL is of course hashed before it's transmitted anywhere. So the only sites they can actually recognize are ones that exist in their database as phishing sites. Maybe not hugely comforting, but it's not like they're blasting your browsing behavior back to their servers in plaintext.

      Course that didn't stop me from turning it off anyway. I guess there are a lot of retards out there, but I'm not one.

    7. Re:clean != free of "critical" updates by Anonymous Coward · · Score: 0

      Uummmmmm google already does this. AND there is no way of turning it off. Every website you visit with adsense (whether you click on an ad or not) is reported back to Google. And if you happen to be signed in to any google service at the time, that is bundled with the report as well. Firefox reports every wesbite to google along with your IP address. Funny how no one seems to mind that stuff....

  5. Ahhhh by The+Living+Fractal · · Score: 1

    How much have the network protocols changed since IE was released? And now in version 7 we actually have a program that can (supposedly) capably utilize the protocols? Hell. I guess this is news.

    TLF

    --
    I do not respond to cowards. Especially anonymous ones.
  6. Article Text Isn't Very Good Journalism by MSTCrow5429 · · Score: 0, Troll

    The article text is not well-written. It makes mention of a "Sans," without bothering to identify what Sans is. I assume they don't mean the SANS Institute? Just rubbish, not at all well-edited.

    --
    Slashdot: Playing Favorites Since 1997
    1. Re:Article Text Isn't Very Good Journalism by kanani · · Score: 1

      i was going to tell you sans means without, but then i read TFA

    2. Re:Article Text Isn't Very Good Journalism by Anonymous Coward · · Score: 0

      It's MS Comic Sans of course!

      M

  7. clean by l3v1 · · Score: 5, Funny

    It's good to know, that if they don't release patches, that means IE7 is clean from bugs. I got all comfy and calm now.
     

    --
    I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
  8. IE 7 Clean by achten · · Score: 1

    This may be projected as a compelling reason to upgrade your web browser at least !!

  9. Alright everyone, show's over by strider44 · · Score: 4, Insightful

    It's official, IE7 is clean. This shows that Microsoft have gotten all of the bugs and there will be no more patches, ever. Uninstall your virus and spyware scanners - they're not needed anymore.

    Seriously, has the situation come to a place for Microsoft where a month with no patches for IE is actually news?

    1. Re:Alright everyone, show's over by strider44 · · Score: 0, Offtopic

      Aside from that I never said anything about firefox and that the number of patches in no way corresponds to the number of bugs, firefox hasn't had any patches in the last two months since their last major release. This isn't special news.

    2. Re:Alright everyone, show's over by chrisbro · · Score: 2, Interesting

      Seriously, has the situation come to a place for Microsoft where a month with no patches for IE is actually news?

      Yes. This thing had systems administrators running because of the forced upgrade and general wariness. Now that it's being proven that it won't wreak havoc on corporate systems, I figure some BOFHs will start to ponder a roll-out after blocking it. If it proves in the short-run to be more secure than IE6 (which isn't saying much, of course), they might jump on it.

      As much as /. (justifiably) trashes Microsoft vulnerabilities, it's good to see the editors post a story that goes against the grain. Even if it should be read with a curiously raised eyebrow rather than cheers of jubilation.

    3. Re:Alright everyone, show's over by larkost · · Score: 1

      The reason the corporations have been blocking it is that it breaks many web apps, including ones based on some of the larger vendors' platforms (Oracle, SAP, etc...). At the university where I work they have blocked it because it breaks with our purchasing system.

    4. Re:Alright everyone, show's over by chrisbro · · Score: 1

      Yeah, that was the second part of why we blocked it at work; to wait until it got tested out. We haven't noticed any problems with web apps, but then again, we don't run a lot of apps that require client-side plugins/programs, either. Only thing I've seen is some features of SharePoint will crap it out.

  10. Pushed out? by pe1chl · · Score: 4, Informative

    Version 7 is clean -- which is welcome news in this first update since the upgrade was pushed to the world last month.

    I know you Americans consider "the USA" the same as "the world", but I can assure you that IE7 was NOT pushed out in the Dutch version of Windows XP. It is not even available as an optional package in Windows update.
    And I think it is the same in many other countries.

    1. Re:Pushed out? by Anonymous Coward · · Score: 0

      Well it's certainly pushing at me.

      You can try pushing it back in, but the reminders pop back after a while.

      In fact the IE7 push is a lot like a nasty case of hemorrhoids.

      The solution? Don't force it, eat more free software, and move to Linux as soon as you feel the urge.

    2. Re:Pushed out? by Tim+C · · Score: 2, Informative

      Here in the UK, I was notified of it being available by Automatic Update at work on Monday. As I work in the web and we currently have no strategy for dealing with IE7*, I refused and set it not to remind me about it. I have heard of friends who have autoupdate set to download and install automatically who were surprised to find that they'd been upgraded, but that was recently, certainly not "last month".

      Still, assuming that everyone is in the same situation as you is hardly a uniquely American trait (although at times, it does seem to be more prevalent amongst our Yankie cousins)

      (* Don't shoot me, I'm just a lowly programmer and can't force the issue)

      --
      It's official. Most of you are morons.
    3. Re:Pushed out? by jonwil · · Score: 2, Informative

      Even if you are running Firefox or Opera or something else as your main web browser, upgrading to IE7 (if you are on a system where IE7 will run) still makes sense, if nothing else for all those applications that embed the IE widget which will get the benifits of all the bug fixes IE7 has. (although if said applications are known to fail with IE7 installed, thats a different matter)

    4. Re:Pushed out? by Anonymous Coward · · Score: 0

      Version 7 is clean -- which is welcome news in this first update since the upgrade was pushed to the world last month.

      I know you Americans consider "the USA" the same as "the world", but I can assure you that IE7 was NOT pushed out in the Dutch version of Windows XP. It is not even available as an optional package in Windows update.
      And I think it is the same in many other countries.

      No kidding. Maybe /. ought to address this issue in the FAQ! Oh wait... http://slashdot.org/faq/editorial.shtml#ed850 I am glad to have you here, but please stop complaining when the US IT industry is interested in US IT news. Cheers.

    5. Re:Pushed out? by Anonymous Coward · · Score: 0

      learn english, asshole

    6. Re:Pushed out? by pe1chl · · Score: 1

      Last time I checked, it was not even available in Dutch. That may be one of the reasons it is not offered automatically here.
      Looking at the stats on the webserver at work, I see only 3% of MSIE 7 visitors. This means our visitors, which are mainly from the Netherlands, probably don't get this update pushed automatically.
      (MSIE 6 is at 78.7% and Windows XP at 68.1%)

    7. Re:Pushed out? by pe1chl · · Score: 2

      Being interested in the US IT industry or US IT news is not the same as equating "the US" to "the world"...

    8. Re:Pushed out? by PsychicX · · Score: 1

      There are only two things I hate: Those who are intolerant of other people's cultures, and the Dutch.

    9. Re:Pushed out? by Jonsey · · Score: 1

      Maybe it hasn't been pushed by WU/MU yet, but here's a link to the bits: http://www.microsoft.com/belux/nl/windows/ie/downl oads/default.mspx

      Enjoy?

      --
      I assert that my comment is only my opinion, not that of any employer, past, present or future.
  11. Who owned you today? by AHuxley · · Score: 1
    In Capitalist West Microsoft declare IE clean.
    In Soviet Union Politburo declare Chernobyl clean.

    Enjoy the Zero Day parade, now with improved security.

    --
    Domestic spying is now "Benign Information Gathering"
  12. There is a patch for IE7 available today. by Rastignac · · Score: 1, Informative

    12/12/2006: Update for Internet Explorer 7 for Windows XP (KB928089).
    This update resolves a performance issue with the Phishing Filter.

    --
    -- Rastignac was here.
  13. IE7 not clean: Secunia shows 3 unpatched holes by free2 · · Score: 5, Interesting

    IE7 is not clean: Secunia shows there are 3 unpatched holes:
    http://secunia.com/product/12366/?task=advisories_ 2006

    1. Re:IE7 not clean: Secunia shows 3 unpatched holes by cp.tar · · Score: 1

      So it appears that the new definition of 'clean' is "we haven't made any patches yet".

      Sounds like Stef Murky himself thought up this one...

      --
      Ignore this signature. By order.
  14. IE7 was a rewrite by Anonymous Coward · · Score: 0

    IE7 was a rewrite from scratch. So any bugs on IE5/6 won't carry-over. And this also means bugs in IE7 need not be there in IE5/6.

    1. Re:IE7 was a rewrite by Anonymous Coward · · Score: 0, Insightful

      Do you believe that? I can tell you there are many bugs in IE6 that got carried over into IE7, e.g. in CSS handling.

    2. Re:IE7 was a rewrite by Keeper+Of+Keys · · Score: 1

      Even as a pernickety web developer, I wouldn't call a CSS display bug a critical vulnerability.

    3. Re:IE7 was a rewrite by Anonymous Coward · · Score: 0

      So your reasoning is that a rewrite will not carry over any critical vulnerabilities, yet it will carry over CSS bugs?
      How is that supposed to function? Are the CSS bugs actually part of the design?

  15. Why oh why... by Splab · · Score: 4, Informative

    does the autoupdater insist on nagging me every 15 minuttes about restarting???? It's so bloody annoying, I know you just updated some of my software, but I'm working so shut the f*** up!

    Anyways, you can ask it to bugger off by going to control panel -> administrative tools -> services, find automatic updates, right click and press stop, that will stop it from nagging you about restarting.

    1. Re:Why oh why... by Anonymous Coward · · Score: 0

      you are working as an Administrator? not very wise...

    2. Re:Why oh why... by Anonymous Coward · · Score: 0

      Try getting any real work done in Windows XP as a non-admin and see how far you get.

    3. Re:Why oh why... by RabidOverYou · · Score: 2, Informative

      I've been doing it for a couple of years now. I have one program I have to RunAs administrator, and I logoff as user, login as admin for WindowsUpdate stuff. All in all, very smooth.

      The most annoying thing is that you can't dblclick the tray clock to see the monthly calendar; it thinks you're changing the date, which is admin-only. Fixed in Vista.

    4. Re:Why oh why... by Anonymous Coward · · Score: 1, Informative

      1. Run gpedit.msc
      2. Click on Computer Configuration
      3. Click on Windows Settings
      4. Click on Security Settings
      5. Click on Local Policies
      6. Click on User Rights Assignment
      7. Double click System Time
      8. Add the user account in question

  16. This news saddens me by The_Revelation · · Score: 1, Troll

    I have to say that if there was just one Microsoft product that needed patching, IE7 would most certaily be it. I've had numerous clients complain about the absolute incompetency of this browser to do what it is fundamentally made to do - view web pages. Even on my own system I encountered at least one complete crash of IE7 every..single..day that it was installed, not to mention the painfully slow performance of the product. Granted, I didn't do everything in my power to make it stable - was running on default settings when I knew very well I could turn these off and run with the bare minimum of settings - but just the hastle of going to HP web sites and having the content blocked as potentially malicious code or the way the program can't render slashdot comments properly, or most web sites for that matter. urgh. It may be secure, but it doesn't do what I would expect a web browser to do - browse the web. And the browser tab functionality lacked the one feature I have come to expect from tabbed browsing - for the browser to remember what pages I was looking at, so that every time it crashed I didn't have to work out what I was up to. I know this is a big bitch session about the obvious shortcommings of IE7, but come on!! how can you release such an obviously flawed product and neglect to update it a month after its release? On a side note - since removing IE7 from my machine my notebook will now successfully hybernate again. Coincidence?

  17. Handy tool - Check for insecure software by mmbokaj · · Score: 2, Interesting

    Secunia released a new tool last week. You can use this to verify that you have the latest secure versions of software installed, including MS updates. http://secunia.com/software_inspector/

  18. Sans = SANS Internet Storm Center by brotherash · · Score: 2, Informative

    The organization referred to as Sans in this article is the SANS Internet Storm Center found at http://isc.sans.org/ You can find the reference to Black Tuesday and more information on this update at http://isc.sans.org/diary.php?storyid=1928

  19. When did every exploit become 0-day? by LordOfTheNoobs · · Score: 1

    Seems every exploit mentioned lately has been labeled 0-day. I guess they must have solved the problem of the [1-9][0-9]*-day exploits. Of course if we can limit the flaws to only a single day, it limits the time those nasty hackers have to break the systems! Right? What?

    --
    They're there affecting their effect.
  20. SANS "recommends" the Offline Update tool? by Morinaga · · Score: 1

    I'm searching for where SANS has recommended the Heise Security Offline update script and cannot seem to find this information anywhere on the SANS site.

    If I can find this evidence it would go a long way towards convincing my security group that my IT organization can use this to develope iso cds.

    1. Re:SANS "recommends" the Offline Update tool? by jginspace · · Score: 1

      "I'm searching for where SANS has recommended the Heise Security Offline update script and cannot seem to find this information anywhere on the SANS site. If I can find this evidence it would go a long way towards convincing my security group that my IT organization can use this to develope iso cds."

      The SANS homepage changed shortly after the editors published this story. For the last few hours it's been the somewhat underwhelming account: "Microsoft Office 2004 (Mac OS X) update was a accident. (NEW)" ... and only that.

      The links under 'Diary Archive' at the bottom right of the main page omit the Heise references. Odd. However a search for Heise does bring up two results at the bottom which both point to this: http://isc.sans.org/diary.php?date=2006-12-12&isc= 584e460f1a298753d999481d6d2d81f8 ... which points to this: http://isc.sans.org/diary.php?storyid=1939 - hope it helps.

  21. What about the Micro Print in Outlook Problem? by jeepville · · Score: 1

    When you install IE7 and Print emails received in html using outlook. There is a bug where the emails print in about a font of 1.
    http://www.microsoft.com/communities/newsgroups/en -us/default.aspx?dg=microsoft.public.outlook&tid=5 3028d9d-6499-4e5c-a928-71fd00e01da1&p=1
    This sure seems like a problem. Maybe not critical but if they ladies in my office dont stop complaining about it then it might become critical.

  22. IE is clean like that girl you know.. by kinglink · · Score: 3, Funny

    You know the one who claims not to have caught an STD, but you've seen her around the free clinic a few times? You know the one. She has documents that say she has a clean bill of health but somehow you don't think there's a Doctor Fakopsky.

    Then of course you go out with her and the next day you know what falls off? We've all had that experience, haven't we?

    Oddly enough that sounds exactly like IE7. I'll stick with my hotter girlfriend, Firefox. It's true she might have "enhancements" and she might be a little "slower" but at least she's not sleeping around like IE.

  23. Windows 98 and ME out in the cold by BeerCur · · Score: 1

    So we have these vulnerabilities with Outlook Express, Internet Explorer, and other parts of the OS. I'm sure there are a bunch of people... ummm me... that are still using the now unsupported OS's of 98 and ME...

    Can Zone Alarm, router firewall, along with Ad-Aware, keep things more or less safe for ME, or is it really time to upgrade?

    --
    It's not what your Sig can do for you, but what you can do for your for your Sig.
    1. Re:Windows 98 and ME out in the cold by assassinator42 · · Score: 1

      ME is horrible, you should upgrade to Windows 2000, Linux, or BSD right away. Or at least use Firefox/Thunderbird instead of IE/OE.

    2. Re:Windows 98 and ME out in the cold by SEMW · · Score: 1
      Yes, you can still keep things reasonably safe; as long as you:
      • Have a virus scanner that scans all incoming and outgoing email *before* your email program gets at it (For example, AVG, which is free).
      • Have a firewall -- preferably a hardware firewall, but a good software one like Zonealarm will do at a pinch.
      • And most importantly -- don't use IE and OE. This isn't any bias on my part, only that any program you use that connects to the internet should be kept completely up to date. Since this is impossible with IE & OE on 98 & ME, don't use them. Try Firefox & Thunderbird -- Actually, maybe Opera rather than Firefox (there have been memory leak issues reported with Firefox, and neither 9x nor ME handle memory anywhere near as well as 2000 & XP).
      With the precautions, as long as you use common sense (don't download dogy execuables, don't open unsolicited email attatchments, don't install "free" programs that come bundled with tons of spyware, etc.), you should be fine.
      --
      What's purple and commutes? An Abelian grape.
    3. Re:Windows 98 and ME out in the cold by BeerCur · · Score: 1

      Thanks, for the information / advice.

      --
      It's not what your Sig can do for you, but what you can do for your for your Sig.
  24. Phishing Filter by Z34107 · · Score: 1

    Old news. You can turn the fishing filter off - in fact, when you first run IE7, it asks you if you want to turn it on.

    They don't track the computers the filter requests come from. It's certainly techically possible that they could, but conspiracy theories aside, they don't.

    --
    DATABASE WOW WOW
  25. The World by Z34107 · · Score: 1

    I know you Americans consider "the USA" the same as "the world", but I can assure you that IE7 was NOT pushed out in the Dutch version of Windows XP.

    Silly you. Dutchistan is in a completely different world - there's an ocean between them.

    --
    DATABASE WOW WOW
  26. Day after is when the viruses come out now.... by Quevar · · Score: 1

    Since MS has such a regular release schedule for updates, it makes sense that the virus writers have a schedule too - relase it the day after all the security checks. Expect a hole to be announced and exploited within the week.

    Or, I could be wrong and the numbers are too low to make it worth the effort. Or, just maybe, Microsoft actually did build a secure product....

  27. All better than the days of drive-by downloads by Beryllium+Sphere(tm) · · Score: 1

    There's a cross-window injection problem, which could let sleazebuckets.com (if you're viewing them at the same time as you visit your bank) place a popup on top of yourbank.com. This kind of problem is not new. On the one hand that means Microsoft really should have prevented it, on the other hand it means that it's already best practice to have nothing else open when visiting a sensitive site.

    There's an address bar integrity problem which "could allow phishing". Again, MS should have used their experience to head this off, but normal good practice by the user will avoid the problem.

    The last will read content from another site, but only if Javascript is running.

    I've had to advise people that there was no way of using IE6 safely. So far IE7 is looking better than that.