The Active Network
ActiveMac Anonymous | Create a User | Reviews | News | Forums | Advertise  


  Microsoft browser in need of security
Time: 10:21 EST/15:21 GMT | News Source: E-Mail | Posted By: Brian Kvalheim

Microsoft's Internet Explorer Web browser showed more weaknesses this month when the company announced it found yet another security vulnerability within the program. The security risk affects not only Internet Explorer but also about a dozen other programs, including the operating system and Office applications such as Word, Outlook and PowerPoint. The weakness could let a hacker gain access to a computer by writing malicious code into a JPEG file -- the most widely used photograph format on the Internet. That means you could simply go to a Web site that displays a JPEG photograph and instantly be vulnerable to a hack. Fortunately, Microsoft has released a patch on its Web site ( that will fix the problem.

Write Comment
Return to News

  Displaying 1 through 25 of 122
Last | Next
  The time now is 5:26:19 PM ET.
Any comment problems? E-mail us
#1 By 37 ( at 9/28/2004 1:27:32 PM
I think linux is prolly closer to 1-2% installed base in real use.

#2 By 2960 ( at 9/28/2004 1:46:12 PM
This one is downright SCARY!


#3 By 17996 ( at 9/28/2004 3:20:01 PM
I am so sick of all of the half-truths and FUD going around about this GDI+ flaw.

You will NOT get infected by using IE to view a web page that contains a malicious JPEG. IE does NOT use GDI+ for JPEGs!

It was simple to test this out. I'm using XP SP1, IE6. I started up WinDbg, a free debugger available from Microsoft. I started up iexplore.exe and went to a web site that displayed JPEG images. WinDbg lists all of the DLLs as they are loaded by the application and guess what -- GDIPLUS.DLL was *not* loaded!

Unfortunately, the people who write these articles (and unfortunately the people who comment on most forums such as this one (no offense to anyone)) are not the type of people who know how (or would bother) to investigate whether viewing an image in IE puts you at risk.

I'm not trying to downplay this flaw, though -- it is very serious, especially since the Windows XP shell uses GDI+ for thumbnails, filmstrip view, and the "picture/fax viewer" preview window. If you would save that vulnerable image to your hard drive and view it in Explorer, you would be infected.

Site note: GDI+ has built-in support for transparent PNGs. If you have some on your hard drive, you'll notice they're transparent in the filmstrip view and picture/fax viewer. IE, if it would use GDI+ for images, would have instant access to transparent PNGs.

#4 By 12071 ( at 9/29/2004 10:16:36 AM
#9 You could have provided a link rather than showing off your cut and paste abilities.

#10 "But that's not as bad as the JPEG flaw, since it's just a bitmap, right?"
When it comes to the web, you're absolutely correct, it's not as bad as the JPEG flaw given the proportion of BMP's used on the web vs JPEG's! But that doesn't mean it's not serious and shouldn't be fixed! Oh look at that, if you've been running FireFox 1.0PR (which was released on the 14th of September) you're patched against that and all the other vulnerabilities you pointed out.

#12 Nope, as long as you updated to v1.0PR in the last 2 weeks you're safe. A much better alternative in my opinion to waiting until next month's round of patches and hoping that everything is fixed in them.

#14 It's just a pity that you don't also have the IE code, as then you could really compare them and determine which is half-assed and which isn't, or which is more half-assed.

#5 By 12071 ( at 9/29/2004 11:38:21 AM
#16 "You just made my point."... "FireFox is just as unsecure as IE."
Only in your mind did I make your point. FireFox is nowhere near as unsecure as IE, but yes it does have it's share of bugs and vulnerabilities which are fixed and then released to the public rather than making them wait for the next security patch rollup (or the one after that, or the one after that one... etc).

"Everyone needs to keep up with patches."
Finally something that we agree on!

"The difference is exploit code for FireFox was around since early July, and the patch wasn't released until mid-September."
July? The bug was filed in mid-August.

#6 By 12071 ( at 9/29/2004 9:17:18 PM
#19 "Yea. Only whitehat developers find exploits and submit them dutifully. There isn't such a thing as a blackhat, is there?"
So do you have any proof to back up your original statement that "exploit code for FireFox was around since early July", i.e. a month before the bug was filed? Or did you just assume that exploit code was available for that length of time?

"BTW: It was fixed in 1.7.3"
BTW: We were talking about FireFox not Mozilla, hence why I already mentioned that v1.0PR of FireFox was released on the 14th of September and included this fix.

#7 By 12071 ( at 9/30/2004 7:53:47 AM
#30 "Little boy, there's things called search engines."
In the time it took you to try and appear intelligent and above us all, you could have provided a link to show that exploit code was available in early July. So where's the link?

"Yea. FireFox is sure secure."
Compared to IE it sure is. Is it bug-free/perfect? God no! It has more than it's fair share of bugs, but it's still safer to use than IE. And as a bonus it's also far more standards compliant. It's a good thing we have a choice in web browsers.

"ME: "The difference is exploit code for FireFox was around since early July, and the patch wasn't released until mid-September.""
"ME: "It was fixed in 1.7.3. ... Released Sept 13, 2004 ""
You missed just one little thing. Before you mentioned both of those comments, I had already mentioned that it was fixed in v1.0PR, which is why I had to repeat myself as you seem to lack comprehension skills, or perhaps you're just blind.

"Go write some perl scripts or recompile your kernel."
Is this comment supposed to get some kind of a reaction from me? Or does it show your complete ignorance in that you believe that *nix users have to compile everything manually?

#8 By 4240821 ( at 10/26/2023 12:30:43 PM

#9 By 4240821 ( at 10/30/2023 11:14:23 AM

#10 By 4240821 ( at 10/31/2023 4:15:10 AM

#11 By 4240821 ( at 10/31/2023 10:01:46 PM

#12 By 4240821 ( at 11/1/2023 8:27:39 AM

#13 By 4240821 ( at 11/3/2023 6:13:41 AM

#14 By 4240821 ( at 11/4/2023 6:32:36 PM

#15 By 4240821 ( at 11/5/2023 11:38:31 PM

#16 By 4240821 ( at 11/8/2023 3:59:53 PM

#17 By 4240821 ( at 11/10/2023 6:16:03 PM

#18 By 4240821 ( at 11/11/2023 9:44:16 PM

#19 By 4240821 ( at 11/12/2023 6:55:52 PM

#20 By 4240821 ( at 11/13/2023 10:17:34 PM

#21 By 4240821 ( at 11/15/2023 12:27:56 AM

#22 By 4240821 ( at 11/15/2023 8:45:28 AM

#23 By 4240821 ( at 11/16/2023 6:15:47 AM

#24 By 4240821 ( at 11/16/2023 7:30:33 PM

#25 By 4240821 ( at 11/18/2023 4:29:55 AM

Write Comment
Return to News
  Displaying 1 through 25 of 122
Last | Next
  The time now is 5:26:19 PM ET.
Any comment problems? E-mail us
User name and password:


  *   *