The Active Network
ActiveMac Anonymous | Create a User | Reviews | News | Forums | Advertise  
 

  *  

  Microsoft probes IE 7, Vista bug reports
Time: 00:22 EST/05:22 GMT | News Source: ZDNet | Posted By: Kenneth van Surksum

Microsoft is investigating two recently disclosed security vulnerabilities that affect Internet Explorer 7 and Windows Vista, the company said Monday.

The vulnerabilities aren't considered high-risk, yet they affect the latest releases of Microsoft's Web browser and operating system software. Microsoft has promoted the security of both IE 7 and Windows Vista. The flaws could let attackers get their hands on sensitive user information, security experts have warned.

The French Security Incident Response Team said in an alert that the IE vulnerability, which also affects IE 6, could be exploited in phishing attacks, scams that try to trick people into giving up sensitive information such as credit card data and Social Security numbers. The problem exists because of an error in the way the browser handles certain "onunload" events, the security monitoring company said. Attackers could exploit the issue to spoof the browser address bar, FrSirt said.

Write Comment
Return to News

  Displaying 1 through 25 of 339
Last | Next
  The time now is 8:56:38 AM ET.
Any comment problems? E-mail us
#1 By 32132 (64.180.219.241) at 2/27/2007 1:42:24 AM
Firefox 2.0's onUnload problem is more serious:

http://www.mozilla.org/security/announce/2007/mfsa2007-08.html


Firefox 2.0 is still way ahead ... in vulnerabilities.

http://www.mozilla.org/projects/security/known-vulnerabilities.html

#2 By 2960 (24.254.95.224) at 2/27/2007 7:16:40 AM
Wow, and I thought this story was about Vista and IE7. Thanks for correcting us there Parrkkkkker.

#3 By 37047 (216.191.227.68) at 2/27/2007 7:58:37 AM
Leave it to ParKKKer to rush in with an off-topic post to distract attention away from 2 MS problems. It is nice to know he is earning his MS paycheque.

#4 By 15406 (216.191.227.68) at 2/27/2007 8:42:19 AM
I think Parkkker forgot to mention that this bug is already fixed in Firefox 2.0.0.2 while IE users will have to wait until MS gets around to it. Just an oversight on his part, surely.

#5 By 13030 (198.22.121.110) at 2/27/2007 9:10:02 AM
Don't bother him with relevant details...

(Hey, Parker, the challenge still stands. Are you up to it yet?)

#6 By 32132 (142.32.208.231) at 2/27/2007 11:05:22 AM
Wow. Some people are really bitter about Firefox 2.0 being less secure than IE7.

Especially the ActiveWin staff who never post articles about Firefox vulnerabilities -- maybe because there are so many.

I thought I was doing people a service by pointing out that IE7's OnUnload vulnerability was much less severe than Firefox's. You bitter Firefox supporters do understand that "security researchers" try the same vulnerability on the other browser ... aren't you?

""It's critical that Firefox users keep themselves updated to protect against software vulnerabilities. Firefox users cannot fool themselves into thinking that security is just a problem for Microsoft products," said Graham Cluley, senior technology consultant for Sophos. "It makes sense for all computer users to remain alert about the latest security flaws, and ensure they are running the latest patched version of their chosen internet browser."

http://www.infozine.com/news/stories/op/storiesView/sid/21279/

I disagree with the article. Firefox users DO fool themselves all the time.

#7 By 13030 (198.22.121.110) at 2/27/2007 12:44:11 PM
IE7... designed to force those who are running non-XP SP2 Windows systems to pay to upgrade for security. MS has to foist an OS service pack or OS upgrade on the user to achieve security. Firefox gives you a nice dialog box and delayable app restart.

I still don't personally know a person in the high-tech industry that chooses to use IE over Firefox. I know they must be out there--beyond the MS zealot confines here. The quest continues...

NotParker is still not up to the challenge, I see. Shame, shame. Are you just unable to put money where your mouth is?

#8 By 15406 (216.191.227.68) at 2/27/2007 12:52:05 PM
#6: Is IE7 patched for this bug yet? How about now?




Now?

Maybe I should come back a month from now on Patch Tuesday, followed closely by exploit Wednesday. You would think MS would move a little bit quicker considering this bug is much worse under IE7 than it is under Firefox. BillG must be too busy counting his money, and Ballmer is too busy throwing chairs and FUD.

#9 By 37047 (216.191.227.68) at 2/27/2007 12:54:14 PM
#6: The point is not that security is only an IE issue. It clearly isn't. However, Firefox already has this issue fixed and released to the people, and IE doesn't. But don't worry, I am sure MS will get around to fixing this eventually.

#10 By 32132 (142.32.208.231) at 2/27/2007 1:25:10 PM
Actually, under Firefox the unload vulnerability is very serious. Not so much under IE7.

https://bugzilla.mozilla.org/show_bug.cgi?id=371321

Firefox is susceptible to a seemingly pretty nasty, and apparently easily exploitable memory corruption vulnerability.

...

This bug also effects Firefox under Linux(Ubuntu)


This post was edited by NotParker on Tuesday, February 27, 2007 at 13:25.

#11 By 8556 (12.210.39.82) at 2/27/2007 1:46:40 PM
Opera is better than either IE7 or Firefox. Give it a try. It's just as free as the other two browsers and has fewer security issues.

#12 By 15406 (216.191.227.68) at 2/27/2007 3:46:47 PM
#10: And yet nobody's worried as it's already been patched. Where's the IE patch again? Surely it came out since my last post?

#11: I think Opera left a bad taste in a lot of users mouths when they wanted to charge for a browser you could get elsewhere for free, and then their ad-supported model. I don't think they'll ever recover marketshare. They seem to be popular in the embedded space, but I doubt they'll do much more on the desktop.

#13 By 15406 (216.191.227.68) at 2/27/2007 3:48:29 PM
Hmmm, no patch for the IE bug, but here's a NEW IE bug:

http://www.betanews.com/article/Threeyearold_JavaScript_Bug_Continues_to_Plague_IE7/1172607530

#14 By 32132 (142.32.208.231) at 2/27/2007 4:12:04 PM
#13 "but here's a NEW IE bug"

Nope. Same onunload bug. Very, very hard to exploit:

"Of course, the code itself would need to be attached to a page whose authenticity can't be questioned even though the event code hasn't been run yet. That's a tricky maneuver unless the HTML framework is being run by an e-mail client whose JavaScript interpreter is enabled.

In BetaNews tests of Zalewski's test page in IE7 on multiple Windows machines, including two XP-based systems and one Vista-based Virtual PC-driven environment, the test page failed to spoof a Web site effectively when the user attempts to exit the page by clicking on a link in IE7's Links toolbar or Favorites list. While the user is still stuck on the test page, the address bar continues to read the test page's address."

The Firefox version can let a malicious site OWN your PC.

Getting desperate coffeegirl?

#15 By 32132 (142.32.208.231) at 2/27/2007 4:13:29 PM
"And yet nobody's worried as it's already been patched."

Not accoring to the weblogs I have access to. Most users are still using vulnerable versions of Firefox.

Of course all vesions of Firefox are vulnerable over and over again. 6 - 12 own your box exploits per month it seems.

#16 By 8556 (12.210.39.82) at 2/27/2007 11:03:16 PM
#13: you are correct that Opera made the wrong impression when they charged or used ads that were disctracting. Opera 9.1 is excellent. Anyone that has security issues with their browser should give it a try. Free is a great price for what seems to be the most secure widely available browser today.

#17 By 8556 (12.210.39.82) at 2/27/2007 11:04:35 PM
#16: Isn't porn the main reason why virtual sandbox programs like Green Border Pro to exist? Oh yeah, there's general security also.

#18 By 32132 (64.180.219.241) at 2/27/2007 11:22:20 PM
"Window Snyder, chief security officer at open source browser maker Mozilla, is caught in the crosshairs of the raging browser vulnerability battle.

On one hand, her company launched an upgrade to its Firefox browser on Feb. 23 that specifically aims to fix a number of flaws that have been discovered in the program.

On the other hand, she's dealing with almost daily reports of newly identified vulnerabilities in Firefox disclosed by a researcher who makes his work public before informing Mozilla of the problems.

...

Despite Mozilla's ongoing security efforts, Firefox has come under intense scrutiny from Michal Zalewski, a well-known independent security researcher who has published a collection of previously undiscovered vulnerabilities in the browser during the month of February.

The Firefox security update was already delayed several days so that Mozilla could address an issue published by the researcher earlier this month dubbed the location.hostname vulnerability.

And on the eve of Mozilla's release of the revamped browser, dubbed Firefox 2.0.0.2, Zalewski published information about yet another flaw in the product involving a memory corruption issue that could allow attackers to take control of computers running the software."

http://www.pcworld.com/article/129350-1/article.html?tk=nl_dnxnws

#19 By 32132 (64.180.219.241) at 2/27/2007 11:24:56 PM
"Mozilla has confirmed a potentially serious flaw in its open source Firefox browser.

Developer Michal Zalewski, who uncovered the flaw, described it as " seemingly pretty nasty, and apparently easily exploitable".

The vulnerability affects current versions of Firefox for all major PC platforms, according to Zalewski's report.

The use of a certain JavaScript instruction can cause Firefox to crash, allowing an attacker complete access to a system and the ability to run malware remotely.

Zalewski said that the attack could be carried out by convincing a user to access a specially-crafted HTML file that hosts JavaScript code targeting the vulnerability.

Bugzilla, the error-tracking system used by Mozilla, classifies the vulnerability as 'critical', the second-highest priority.

The vulnerability has only been demonstrated as a proof-of-concept code and there have been no reports of active exploits.

The disclosure comes on the same day that Mozilla released an update for Firefox, which does not address the JavaScript flaw."

http://www.itweek.co.uk/vnunet/news/2184139/vulnerability-uncovered

This post was edited by NotParker on Tuesday, February 27, 2007 at 23:26.

#20 By 37047 (216.191.227.68) at 2/28/2007 12:02:43 PM
So, I guess, based on what ParKKKer says, MS bases their need for quality on what other products have for quality. If any other product on the market has the slightest issue, then MS can put out whatever flaky, security hole ridden piece of crap it wishes, because if anyone complains, then they can just point to any other product, and say "See, they have bugs too, so we can release crap too! Please ignore the man behind the curtain!"

#21 By 32132 (142.32.208.231) at 2/28/2007 4:54:55 PM
In a perfect world, software would have zero bugs. In the real world, having significantly less bugs than your counterpart is the next best thing.

For example, IIS 6 is waayyy more secure than IIS 5 and more secure than Apache 2.x.

Also, SQL 2005 is wayyyy better than Oracle and SQL 2000.

Now, so far, IE7 is waayyyy better than IE 6 and Firefox.

Great job Microsoft!


#22 By 32132 (142.32.208.231) at 2/28/2007 6:15:34 PM
#21 "If any other product on the market has the slightest issue"

By the way, aren't you ashamed of trying to minimize Firefox's 40 or more own the box holes as a "slightest issue".

#23 By 12071 (203.185.215.144) at 2/28/2007 8:44:19 PM
In a perfect world, all vulnerabilities and bugs would be REPORTED so that the users of said software can take appropriate action. In a perfect world, those same vulnerabilities and bugs would be fixed in a timely manner rather than waiting for a particular day of the month, x months after an issue was first noticed. Open source software is much closer to this perfect world, as it doesn't need to artificially lower the number of reported issues to keep gullible users and shareholders in a permanent state of ignorance.

#24 By 32132 (64.180.219.241) at 2/28/2007 9:22:35 PM
It may very well be that writing code the day before a set of patches are going out is ok in the alternate bizarro open source world. I personally would prefer some regression testing.

I would also prefer to read about the bugs to see how old they really are. But most are still embargoed on bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=366123

I applaud Microsoft's efforts in making IE7 secure. I think Mozillas track record is getting worse.

Of course, while Mozilla counts this as one fix, it is actually 24 bugs: http://www.mozilla.org/security/announce/2007/mfsa2007-01.html


Of course if Michal Zalewski can find a serious hole in Firefox every day and then emails Mozilla, what about the hundreds of other security holes hackers are finding and not telling Mozilla about?

This post was edited by NotParker on Wednesday, February 28, 2007 at 21:25.

#25 By 15406 (216.191.227.68) at 3/1/2007 8:46:47 AM
#22: Having less bugs is better, in your perfect world? Fair enough. Parkkker is now on record saying that it's better to have one own-your-box bug than 10 steal-your-cookie bugs. Brilliant!

Write Comment
Return to News
  Displaying 1 through 25 of 339
Last | Next
  The time now is 8:56:39 AM ET.
Any comment problems? E-mail us
User name and password:

 

  *  
  *   *