IE7 Vulnerability Discovered

slidersv writes "Not 24 hours after the release of IE7, Secunia reports Internet Explorer Arbitrary Content Disclosure Vulnerability. So much for the "you wanted it easier and more secure" slogan found on Microsoft's IE Website."

two words

ha ha

Re:two words

but that was only one word..... twice

Re:two words

Yes, you're right.. it is traditional when releasing a new version of software to THROW OUT ALL YOUR CODE AND START OVER FROM SCRATCH.

I love it when people in the cake decorating industry post to slash dot.

Re:two words

One word: Brillant!

Re:two words

Not an issue - domains actually have a dot at the end, in the format, e.g.:

blabla.tld.

http://www.google.com/ [google.com]
http://www.google.com./ [www.google.com]

Both work.

Brillant Link.

Took me all of 3 seconds Googleing for "brillant site:thedailywtf.com".

Paula's Brillant Bean:

http://thedailywtf.com/forums/40043/ShowPost.aspx [thedailywtf.com]

Re:two words

If you are going to do, at least do it right:

ha ha [imageshack.us]

Re:two words

How much you want to bet this guy found the vuln weeks ago, but held off on releasing it so he could brag that he discovered the first IE7 vuln, and it only took him less than 24hr!

IE7 Vulnerability Discovered

In a very motherly voice:

Oh Microsoft, what are we going to do with you, eh?

Re:IE7 Vulnerability Discovered

Format C:. Install any other OS.

PGA

Browsers are just too complex

Thats the root of the problem. I'd wager 90% of the functioanlity for browsers is only used by 5% of end users. Granted a lot of stuff is demanded by web develoeprs who want fancy this, animated that, and sliding and fading the other, but to be honest, most of us dont need any of that junk.
As end users, how much of browser bloat do we really need?
I think there was a slashdot story asking for feature requests for firefox recently. my main request is this please:

less of everything

Its already at the case where im starting to notice how long it takes firefox to start. Sometimes more features does not mean better. Its like anything, cars, mobile phones, TVs, they all have major feature bloat.
I found it actually impossible to buy a new mobile *without* internet access. Its insane. i remember when you didnt have an animated 'startup' screen for your phone, because the damned things just switched on.

Feature bloat -> just say no :D

Re:Browsers are just too complex

Here's your porch, here's your chair, and here's your lawn. Now repeat after me, "DAMN KIDS! GET OFFA MY LAWN!"

Re:Browsers are just too complex

Thats the root of the problem. I'd wager 90% of the functioanlity for browsers is only used by 5% of end users.

I don't think this is the case, because for the most part users don't choose which broswer features they use; web sites do that for them.

However, I think the web development model is far too complex, which both causes site developers to create security holes in their applications, and creates many places for security holes to exist in the browser itself.

Re:Browsers are just too complex

While I agree with your No Bloat argument, you neglected an oft overlooked reason that IE contains all these "features", and it's not web developers. It's application developers. There are a slew of vertical market applications that many small to midsize companies are using, where the developer has dropped, or maybe never had, its own user interface, in favor of using IE and ActiveX controls. Insurance brokerages, medical practices, law firms and more, all of them have large, commercial, expensive applications available to them for running their businesses, and many of them are IE based. IE in these cases is just the front end to data stores running on everything from SQL Server on Intel to AIX on Power to whatever. Many times with no Internet connectivity at all.

MSFT can't just disable, drop or change these features, because doing so could break an enter business. So they just pile up more and more code into an already chaotic program.

Helllloo?

Last time I checked, Firefox was open source. You are more than welcome to fork the project and make a "lite" version. I would probably give it a try.

But, don't forget that if you strip away too much, you'll end up with Lynx. Some people like at least images and css, you know?

Re:Browsers are just too complex

Thats the root of the problem. I'd wager 90% of the functioanlity for browsers is only used by 5% of end users.

You would lose that wager. 80%+ of the technology that makes web browsers tick is required just to show you a blasted web page. The standardized APIs allow a good way for JavaScript to then make those pages interactive. Not too many sites are JavaScript-free these days.

What I think you're trying to say, is that features above and beyond the W3C standards are:

1. Not useful
2. Poor attempts at lockin
3. Dangerous

If Microsoft would just stick to the bloody standards, we'd all be better off. Unfortunately, they're still in 1995 mode, trying to beat Netscape at their own propertization game. It wouldn't surprise me if the requests for DOM 2 Events support were STILL ignored in this "final" release of IE7. *grumble* And Microsoft thinks developers will like them because of this?

Re:Browsers are just too complex

hang on, my dad has a Razor phone, thats exactly the kind of thing I didnt want. thats bloatware extreme. I dont want web acecss, or even the option for it, or the buttons for it, or anything. Not a camera, not a microphone, nada. zip.
I just want a phone. to make and recieve calls. I dont even text.

I know I know, Im old.

Not Really news

It's not really news that there are security issues in IE 7. Problem is there are security issues in so much these days that it's really just about what has been found so far.

Back to the old text based lynx browser for me. Now, Anyone know where I can get a flash plugin for Lynx? ;-)

Old exploit

This exploit exists in IE6. It just means MS didn't fix it in IE7. It's not like it's a new exploit that was quickly discovered within the few hours after IE7 was released.

Re:Old exploit

This exploit exists in IE6. It just means MS didn't fix it in IE7. It's not like it's a new exploit that was quickly discovered within the few hours after IE7 was released.

To me, at least, that's kind of the point. I mean, this is an old old IE6 bug, that M$ has known about for a certainly reasonable amount of time. Yet, they still haven't fixed it. And not to say it's a big deal that they haven't fixed it in IE6 yet. It's not like it's a Critical Priority bug (no pirates can steal Windows or MP3s because of it). But they point is, they did their whole "We heard you" campaign, and claimed IE7 was going to be this great new secure landscape... and they didn't even clean up the old IE6 bugs they KNEW about? I mean, seriously, at this point are we supposed to believe that they're even trying?

Re:Old exploit

Well, you could argue that it was quickly discovered to still exist in IE7. Interestingly, this vulnerability contradicts claims that IE7 is a rewrite. Clearly, it is not.

Using Vista RC1

The Secunia test says I am not vulnerable with Vista RC1

Vista RC1 was released almost a month ago.
So I am surprised this new XP IE7 build still exibits this issue.

Looking at the source, I suspect this is not a IE issue at all, instead this is a MSXML issue.
Vista has anewer version of MSXML.
XP IE7 seems to be using the older version.

 

Misunderstanding

Maybe the line should read "You wanted it easier AND more secure?".

Let's be fair

The same problem is known on IE 6 since April 2006 [secunia.com]

Re:Let's be fair

That makes it worse. Not only is IE7 not a "rewrite" as some claimed, but it doesn't fix known vulnerabilities in its previous version. At least if it was new code, you could understand and expect an unknown vulnerability.

Re:Let's be fair

All right, here's just one result from Google: "fundamental rewrite" [wsj.com]

Not much of a surprise

This shouldn't be too much of a suprise ... how many software products are 100% bug free when released, particularly Microsoft's? Anyone who downloads or buys any software within the first few weeks is just asking for it ... and anyone who buys a Microsoft product within the first year is bound to have issues, whether security breaches or just annoying bugs.

News?

Doesn't everyone use firefox anyway?

Vista RC2

I just ran the exploit test using IE7 under Vista RC2, and it came back and said that my browser "does not appear to be vulnerable to this particular exploit", so is this just a IE7 under XP issue?

Active Scripting

This has been a problem in Internet Explorer for a while (IE 6 and prior versions). Most people turn off Active Scripting because of the vulnerabilities. You can disable it and have "trusted" sites for those sites which you want to enable active scripting like http://windowsupdate.microsoft.com./ [windowsupd...rosoft.com]

Come on

It's a "Less critical" vulnerability - not really dangerous at all. Firefox still has equally important unpatched "vulnerabilities" [secunia.com] - some of which [secunia.com] date back to 2004 [secunia.com]. Retards.

Re:Come on

This IE hole requires no user interaction. Unlike the firefox bugs he links to a simple web page can leverage this IE hole with no extra user input. And considering the URI exploited is used within email I'd imagine Outlook is susceptable, too. So the firefox vulnerabilities mentioned are much less likely to be exploited than this IE hole.

Yawn.

Stretch. Scratch.

Oh, an IE vulnerability? That's cool man.

Hey, anyone want to get some lunch?

Good timing, Secunia

But every sane person in the world already has Internet zone security level set to High so who is gonna be affected by this?

IE7 maybe not vulnerable?

IE7, freshly installed this morning, on XP SP2 reports not vulnerable. Perhaps it was already patched, or the exposure is more limited than the post implies...

Not an MS fan, but truth and accuracy are always good.

Re:IE7 maybe not vulnerable?

Secunia has confirmed the vulnerability on a fully patched system with Internet Explorer 7.0 and Microsoft Windows XP SP2. Other versions may also be affected.

http://secunia.com/advisories/22477/ [secunia.com]

"Suprise, Suprise, Suprise" -- Gomer Pyle.

"Fool me once, shame on you. Fool me twice, shame on me." -- Scotty.

"Insanity is defined as repeating the same behavior and expecting a different result."

Micorosoft have been patching security for years. They now claim, "Security is job one." Do you believe it? Why would you? I would not trust IE unless it is rewritten from scratch. There is only so many patches you can do.

I worked on CALANdar back in the 90s. The program started its life as a quick and dirty in/out notifier. Over the years, it turned into a groupware scheduling package. Ignoring my protestations regarding security risks, I was required to add OLE to the Windows version. There was comments from the original author that said "I know this case is F**Ked, but Dick wanted it done now, I will fix it later." That code was there 4 years after the original author left. When you add onto an unstable base, you do not make code more stable.

This page produces a rendering bug for me

*sigh* And I sincerely wanted to move to IE7 from Firefox just to be contrarian.

Opera doesn't want to feel left out

This vulnerability is not very significant. What I found more amusing was that on the same secunia page there's a list of the most popular advisories and Opera appears just under IE. The Opera vulnerability [secunia.com] involves a mistake that any student learns to avoid in his or her first programming class. Furthermore, the Opera buffer overflow is rated as "highly critical" and affects both Windows and Linux versions, whereas MSIE 7's is only "less critical." The Opera bug is truly an amateur's mistake.

Disingenuous

kind of a double edged sword. Its just so intellectually dishonest. Obviously they had found the hole before the release and were just waiting to try to embarrass MS.

They claim they want to see secure MS software, but work against the industry practice of making software more secure and bug proof by withholding flaws they find.

IE7 is actually pretty good

I have used ff for a few years now, and have been a fan. I presently run ff 2 RC3. I overall like ff, but I find besides the memory feature, that it is just slow and balky compared to IE (and I have tweaked the ff settings for speed). I really want to like ff more, but until it becomes a smoother experience, I will likely do most of my browing with IE7. As for being more secure, I just assume no matter what that any machine connected to the net is not secure and act accordingly.

As the saying goes...

Any publicity is good...good publicity is even better.

Keep chatting it up, people. This is exactly what red-o-mundo' wants - how's it feel to be sooooo used, eh? :)

I wonder when they knew about the vulnerability?

If they knew about it before the release of IE 7 then they're low-lifes.

There will always be issues

People will always find something. When you got hundreds of thousands of people checking your software for whatever issue they can find, odds are that they WILL find something. Just because its fun to bash MS doesnt mean its feasible to create a software with zero vulnerabilitise, that's impossible, new vulnerabilites are created each weeks.

I mind much less IE's security than IE's compliance to w3 standards. now THAT is annoying. having constantly to create two versions of your code. one for the compliant browsers and then one for IE.

For some reason, the suits at MS thinks that because lots of people use their software they have a moral obligation to tell people what the standards should be. Ok...I know IE7 is not as bad... but its still bad :-)

What?

This is news?

Doesn't affect IE7 on Vista RC1

I'm running some beta of IE7+ on Vista RC1 (I haven't had time to upgrade to RC2 yet). The vulnerability test shows that this browser isn't vulnerable.

Is this a bug?

As seen with Webkit.

Server: Apache
Location: mhtml:http://secunia.com/ie_redir_test_2
Keep-Alive: timeout=5
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

Webkit cannot open this address, and the script breaks. Nothing appears in the results field.

IE7 hangs on CTRL+W

Okay, so it hangs if I just launch it and press CTRL+W. Anyone else experience this?

This is not a new exploit

If you go to the website and run the vulnerability checker you will find I.E. 6 has the same problem.

So to raise the sky is falling alert is premature in a sense, but any bad news is good news to alert people to the exisiting fact that I.E. is unsafe at any version.

Doesn't work on Vista

The exploit fails running on IE7 in Vista with protected mode.

THIS JUST IN!!!

didn't see that coming... nope.

THE PROBLEM WAS FIXED!

I went to the site and found out that the bug wasn't working! Then I looked and saw that I opened up Firefox instead of IE7.

[off topic] - tortoise SVN

Sorry for the OT, but I have some work to get going for a change.
Does any of you who have tried IE7.0 use Tortoise SVN extensions?
Does it keep working fine after IE 7 install?

Thanks.

So much for "more secure"?

Dude, 24 hours is more secure for Internet Explorer.

Come on

What did you expect people? Of course IE7 vulnerabilities! It is IE after all.

easier and secure

"you wanted it easier and more secure"....sounds like bringing a gun when picking up a hooker.