| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Secunia: Internet Explorer 7 "mhtml:" Redirection Information Disclosure | |
|
||
| Time: 12:25 EST/17:25 GMT | News Source: ActiveWin.com | Posted By: Robert Stein | ||
|
A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an error in the handling of redirections for URLs with the "mhtml:" URI handler. This can be exploited to access documents served from another web site. | ||
|
Write Comment
Return to News |
Displaying 26 through 50 of 322 Prev | Last | Next |
The time now is
2:19:00 PM
ET.
Any comment problems? E-mail us |
| #26 By 37047 (216.191.227.68) at 10/20/2006 3:48:17 PM |
|
Actually, you have it backwards. If Firefox uses a Windows DLL in the Windows version, and it causes a security hole to exist in Firefox, then it is a Firefox issue. The fix may be to not use the function from that DLL, and to create a new function. But the fact that the DLL ships with Windows does not make it a Windows issue. If that were the case, then any .Net application could blame the .Net framework for every bug encountered. However, if you use the .Net framework to create your application, and then it is found that some .Net DLL has a bug in it, it is still your responsibility to do something about your application, beyond merely saying that it is Microsoft's fault and it is their bug, not yours. Find a new way to impliment the functionality that doesn't use their buggy function if you need to, but you are responsible for problems with your application, not MS. However, if MS has released a fix for the broken DLL, then you might give the customer a new package that includes the fixed DLL from Microsoft, using whatever redistributable mechanism they allow. But simply telling the customer to talk to Microsoft, because the bug is in their .Net library probably won't win you any repeat business from that customer.
In other words, the only people who really care where the particular offending code originally came from are the developers who have to fix the problem in their application. Ultimately, it is a bug in a Microsoft written piece of code, and it has an adverse effect on the functioning of Internet Explorer, and it is Microsoft's responsibility to fix it, presuming they care enough about the issue to fix it in the first place. Saying that the DLL originated with Outlook Express is merely hair splitting and window dressing. The bug is in all software that use this library's parser. That means that multiple applications may have that bug. But no one else will try to get away with saying that this is an Outlook Express bug, not ours. |
| #27 By 21203 (208.252.96.220) at 10/20/2006 4:03:58 PM |
|
If Firefox uses a Windows DLL in the Windows version, and it causes a security hole to exist in Firefox, then it is a Firefox issue.
Ok, so in the "identification of the problem" phase, you don't agree the problem would be non-firefox in this instance. The fix may be to not use the function from that DLL, and to create a new function. It's not as easy as you say. There are tons of functions/features/dependencies in all aspects of Windows. One cannot simply say "Oh, there's a security problem in the file system of windows, so let me re-write that entire handler on my own to take care of it." Ownership of the problem is well understood here, and API's are published for precisely that reason. In this particular case, OE is just another application that has added a handler to IE. That handler calls outlook to function. My example for firefox was a TON more basic -- there are a bazillion applications on windows that use file sharing, yet in all the cases of file share vulnerabilities of programs, you never hear anyone saying "well, we should not use that function anymore, or perhaps rewrite a new file sharing mechanism in our own ISV-written application, or perhaps rewrite the entire file share system within Windows". That would be crazy ... Both Windows and IE are launching pads for applications. It's easy to blur the line between them, but it's very clear who's responsible here. Sure, you could argue that MS should own up for everything. And they are -- they're saying exactly where the owner of the problem is, and the OE team is handling it. This post was edited by mram on Friday, October 20, 2006 at 16:04. |
| #28 By 15406 (216.191.227.68) at 10/20/2006 4:27:54 PM |
|
http://www.betanews.com/article/Address_Redirection_Cause_of_IE7_Issue/1161374568
|
| #29 By 32132 (142.32.208.231) at 10/20/2006 5:38:26 PM |
|
"In Secunia's innocuous test, the browser appears to open up the source code for Google News. However, the call to Google News was placed locally, meaning the redirection successfully forced the browser to parse a local resource request. "
The source code seems to say otherwise. It calls a page that calls a page that calls Google news and then puts the result of that call into a variable that it then parses. |
|
Write Comment
Return to News |
Displaying 26 through 50 of 322 Prev | Last | Next |
The time now is
2:19:01 PM
ET.
Any comment problems? E-mail us |
