Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

IE7 Vulnerability Discovered 386

Posted by CmdrTaco
from the that-didn't-take-long dept.
slidersv writes "Not 24 hours after the release of IE7, Secunia reports Internet Explorer Arbitrary Content Disclosure Vulnerability. So much for the "you wanted it easier and more secure" slogan found on Microsoft's IE Website."
This discussion has been archived. No new comments can be posted.

IE7 Vulnerability Discovered

Comments Filter:
  • two words (Score:5, Funny)

    by doti (966971) on Thursday October 19, 2006 @10:01AM (#16501617) Homepage
    ha ha
  • by Rik Sweeney (471717) on Thursday October 19, 2006 @10:04AM (#16501669) Homepage
    In a very motherly voice:

    Oh Microsoft, what are we going to do with you, eh?
  • by cliffski (65094) on Thursday October 19, 2006 @10:05AM (#16501675) Homepage
    Thats the root of the problem. I'd wager 90% of the functioanlity for browsers is only used by 5% of end users. Granted a lot of stuff is demanded by web develoeprs who want fancy this, animated that, and sliding and fading the other, but to be honest, most of us dont need any of that junk.
    As end users, how much of browser bloat do we really need?
    I think there was a slashdot story asking for feature requests for firefox recently. my main request is this please:

    less of everything

    Its already at the case where im starting to notice how long it takes firefox to start. Sometimes more features does not mean better. Its like anything, cars, mobile phones, TVs, they all have major feature bloat.
    I found it actually impossible to buy a new mobile *without* internet access. Its insane. i remember when you didnt have an animated 'startup' screen for your phone, because the damned things just switched on.

    Feature bloat -> just say no :D
    • by Goaway (82658) on Thursday October 19, 2006 @10:08AM (#16501743) Homepage
      Here's your porch, here's your chair, and here's your lawn. Now repeat after me, "DAMN KIDS! GET OFFA MY LAWN!"
    • Re: (Score:3, Interesting)

      by truthsearch (249536)

      The vulnerability is caused due to an error in the handling of redirections for URLs with the "mhtml:" URI handler. This can be exploited to access documents served from another web site.

      The only reference I could find to an mhtml URI through google (which isn't a vulnerability report) is for HTML email. I've generated multi-part MIME email content and never once came across this type of URI. So if someone could elaborate on why this feature even exists it would be helpful.

    • by hey! (33014) on Thursday October 19, 2006 @10:15AM (#16501867) Homepage Journal
      Thats the root of the problem. I'd wager 90% of the functioanlity for browsers is only used by 5% of end users.

      I don't think this is the case, because for the most part users don't choose which broswer features they use; web sites do that for them.

      However, I think the web development model is far too complex, which both causes site developers to create security holes in their applications, and creates many places for security holes to exist in the browser itself.
    • by acvh (120205) <`moc.sragicsm' `ta' `keeg'> on Thursday October 19, 2006 @10:16AM (#16501903) Homepage

      While I agree with your No Bloat argument, you neglected an oft overlooked reason that IE contains all these "features", and it's not web developers. It's application developers. There are a slew of vertical market applications that many small to midsize companies are using, where the developer has dropped, or maybe never had, its own user interface, in favor of using IE and ActiveX controls. Insurance brokerages, medical practices, law firms and more, all of them have large, commercial, expensive applications available to them for running their businesses, and many of them are IE based. IE in these cases is just the front end to data stores running on everything from SQL Server on Intel to AIX on Power to whatever. Many times with no Internet connectivity at all.

      MSFT can't just disable, drop or change these features, because doing so could break an enter business. So they just pile up more and more code into an already chaotic program.

    • Re: (Score:2, Interesting)

      by aadvancedGIR (959466)
      If only it was only unused stuff, it wouldn't be that bad.
      I recently visited the website of a car manufacturer which was full of (I don't want to know which one) cool things to replace the HTML and no kidding (I used my watch), I had between 80 and 200s between the moment I pushed a button and the expected effect (and yes, I was under up-to-date XP/IE6 with a perfectly working 11Mb/s line and it was not at a moment they should be expecting much trafic). The site was of course really nice looking, but it cou
    • Helllloo? (Score:5, Insightful)

      by thepotoo (829391) <thepotoospam@yah[ ]com ['oo.' in gap]> on Thursday October 19, 2006 @10:22AM (#16501981)
      Last time I checked, Firefox was open source. You are more than welcome to fork the project and make a "lite" version. I would probably give it a try.

      But, don't forget that if you strip away too much, you'll end up with Lynx. Some people like at least images and css, you know?

      • Who modded this troll? It's a perfectly legitimate point. He's not insulting the OP, it's a viable suggestion. While you could argue over whether its insightful, informative, or funny (given the comment on Lynx), this is by far not a troll comment.
      • It's a little harsh to call that a troll.

        It's a serious point. You could make a lite version. Lots of people would give it a try, me included. And there have already been forks of Firefox, like IceWeasel and Tor Park.

        If it were talking about forking IE, it should be labeled "joke". As it's talking about Open Source stuff, it should be "insigtful".
      • Man, people need to get metamodding if this is considered a troll.
    • by AKAImBatman (238306) * <akaimbatman@gma i l . c om> on Thursday October 19, 2006 @10:22AM (#16501993) Homepage Journal
      Thats the root of the problem. I'd wager 90% of the functioanlity for browsers is only used by 5% of end users.

      You would lose that wager. 80%+ of the technology that makes web browsers tick is required just to show you a blasted web page. The standardized APIs allow a good way for JavaScript to then make those pages interactive. Not too many sites are JavaScript-free these days.

      What I think you're trying to say, is that features above and beyond the W3C standards are:

      1. Not useful
      2. Poor attempts at lockin
      3. Dangerous

      If Microsoft would just stick to the bloody standards, we'd all be better off. Unfortunately, they're still in 1995 mode, trying to beat Netscape at their own propertization game. It wouldn't surprise me if the requests for DOM 2 Events support were STILL ignored in this "final" release of IE7. *grumble* And Microsoft thinks developers will like them because of this?
    • by Salvance (1014001)
      The problem is that Firefox and other non-IE browsers are just trying to support the W3C standards and what web publishers write for their sites. Someone could certainly create a slimmed down version of Firefox that didn't have any bells or whistles, but would you continue to use it if some sites starting displaying incorrectly?

      Firefox is gaining acceptance because it's more secure, generally faster, and provides far better support for the newer W3C standards such as CSS2. If you're looking for a small
  • Old exploit (Score:5, Informative)

    by Iphtashu Fitz (263795) on Thursday October 19, 2006 @10:06AM (#16501695)
    This exploit exists in IE6. It just means MS didn't fix it in IE7. It's not like it's a new exploit that was quickly discovered within the few hours after IE7 was released.
    • Re: (Score:2, Insightful)

      by otacon (445694)
      That is all the more reason to be concerned about it. If the flaw was known in IE6 then why in the world wouldn't it have been addressed in IE7, I mean they've been working on it for half the decade for crying out loud.
    • Re: (Score:3, Funny)

      by kfg (145172)
      So, what you're saying is that Bill's dog ate the patch?

      KFG
    • Re:Old exploit (Score:5, Interesting)

      by abaddononion (1004472) on Thursday October 19, 2006 @10:15AM (#16501887)
      This exploit exists in IE6. It just means MS didn't fix it in IE7. It's not like it's a new exploit that was quickly discovered within the few hours after IE7 was released.

      To me, at least, that's kind of the point. I mean, this is an old old IE6 bug, that M$ has known about for a certainly reasonable amount of time. Yet, they still haven't fixed it. And not to say it's a big deal that they haven't fixed it in IE6 yet. It's not like it's a Critical Priority bug (no pirates can steal Windows or MP3s because of it). But they point is, they did their whole "We heard you" campaign, and claimed IE7 was going to be this great new secure landscape... and they didn't even clean up the old IE6 bugs they KNEW about? I mean, seriously, at this point are we supposed to believe that they're even trying?
    • by rs232 (849320)
      "This exploit exists in IE6. It just means MS didn't fix it in IE7. It's not like it's a new exploit that was quickly discovered within the few hours after IE7 was released."

      But I thought IE7 was a brand new browser that didn't use and of the buggy old IE6 code.

      Score:5, yet more damage control)
    • Re:Old exploit (Score:5, Insightful)

      by Overly Critical Guy (663429) on Thursday October 19, 2006 @11:01AM (#16502709)
      Well, you could argue that it was quickly discovered to still exist in IE7. Interestingly, this vulnerability contradicts claims that IE7 is a rewrite. Clearly, it is not.
    • Using Vista RC1 (Score:5, Interesting)

      by Utopia (149375) on Thursday October 19, 2006 @11:18AM (#16503015)
      The Secunia test says I am not vulnerable with Vista RC1

      Vista RC1 was released almost a month ago.
      So I am surprised this new XP IE7 build still exibits this issue.

      Looking at the source, I suspect this is not a IE issue at all, instead this is a MSXML issue.
      Vista has anewer version of MSXML.
      XP IE7 seems to be using the older version.

       
  • by MrSquishy (916581) on Thursday October 19, 2006 @10:06AM (#16501699)
    Maybe the line should read "You wanted it easier AND more secure?".
  • Let's be fair (Score:5, Informative)

    by Lars T. (470328) <Lars.Traeger@g[ ... m ['oog' in gap]> on Thursday October 19, 2006 @10:07AM (#16501729) Journal
    The same problem is known on IE 6 since April 2006 [secunia.com]
  • by Salvance (1014001) on Thursday October 19, 2006 @10:08AM (#16501745) Homepage Journal
    This shouldn't be too much of a suprise ... how many software products are 100% bug free when released, particularly Microsoft's? Anyone who downloads or buys any software within the first few weeks is just asking for it ... and anyone who buys a Microsoft product within the first year is bound to have issues, whether security breaches or just annoying bugs.
    • Scroll up. This bug was discovered at least 5 months ago. IE 7 is not new software. It's an update to the IE 6 code base. This product is far from new. Hence this shared bug.
    • by Xugumad (39311)
      Heaven help those of us who need to test our websites with new browsers (worked perfectly first time, for reference, probably on account of having read, understood and used the HTML, XHTML and CSS standards).
  • News? (Score:3, Funny)

    by Treacharous (994718) on Thursday October 19, 2006 @10:09AM (#16501759)
    Doesn't everyone use firefox anyway?
  • Vista RC2 (Score:2, Interesting)

    by jkl6648 (531276)
    I just ran the exploit test using IE7 under Vista RC2, and it came back and said that my browser "does not appear to be vulnerable to this particular exploit", so is this just a IE7 under XP issue?
    • Well, I don't know about 7, but I got the same message running IE6 SP1 on XP saying my machine appeared not to be vulnerable. Of course this is my work machine behind a hardened firewall with all current MS patches. It will be interesting to see if my home machine reports as non-vulnerable as well.
  • Active Scripting (Score:2, Insightful)

    by DoomfrogBW (1010579)
    This has been a problem in Internet Explorer for a while (IE 6 and prior versions). Most people turn off Active Scripting because of the vulnerabilities. You can disable it and have "trusted" sites for those sites which you want to enable active scripting like http://windowsupdate.microsoft.com./ [windowsupd...rosoft.com]
  • Come on (Score:3, Informative)

    by critter_hunter (568942) <critter_hunter@@@hotmail...com> on Thursday October 19, 2006 @10:11AM (#16501803)
    It's a "Less critical" vulnerability - not really dangerous at all. Firefox still has equally important unpatched "vulnerabilities" [secunia.com] - some of which [secunia.com] date back to 2004 [secunia.com]. Retards.
    • Your first link is for a vulnerability which requires the user to do something (type in a file name). The second is a phishing attack.

      You might want to retake an IQ test before you start calling names on /.
      • by k_187 (61692)
        Why? No one else is required to.
      • by strider44 (650833)
        That was his point. Those are really trivial security holes that they haven't patched because they're pretty well unfeasable to actually attack, kind of like this IE hole.
        • Re:Come on (Score:5, Informative)

          by truthsearch (249536) on Thursday October 19, 2006 @11:22AM (#16503069) Homepage Journal
          This IE hole requires no user interaction. Unlike the firefox bugs he links to a simple web page can leverage this IE hole with no extra user input. And considering the URI exploited is used within email I'd imagine Outlook is susceptable, too. So the firefox vulnerabilities mentioned are much less likely to be exploited than this IE hole.
  • Yawn. (Score:5, Funny)

    by Honest Olaf (1011253) on Thursday October 19, 2006 @10:13AM (#16501847)
    Stretch. Scratch.

    Oh, an IE vulnerability? That's cool man.

    Hey, anyone want to get some lunch?
  • by jrsp (513795) on Thursday October 19, 2006 @10:17AM (#16501915)
    IE7, freshly installed this morning, on XP SP2 reports not vulnerable. Perhaps it was already patched, or the exposure is more limited than the post implies...

    Not an MS fan, but truth and accuracy are always good.
  • "Fool me once, shame on you. Fool me twice, shame on me." -- Scotty.

    "Insanity is defined as repeating the same behavior and expecting a different result."

    Micorosoft have been patching security for years. They now claim, "Security is job one." Do you believe it? Why would you? I would not trust IE unless it is rewritten from scratch. There is only so many patches you can do.

    I worked on CALANdar back in the 90s. The program started its life as a quick and dirty in/out notifier. Over the years, it turned int
    • FYP (Score:3, Insightful)

      by tygerstripes (832644)
      I would not trust IE unless it is rewritten from scratch.
      ...by someone else.
    • by Viol8 (599362)
      " would not trust IE unless it is rewritten from scratch."

      Even then I wouldn't trust it. MS's record at new code isn't any better.
      Besides which, the Mozilla tree was originally a complete rewrite of
      Netscape and that hasn't been exactly bug free. I think the real issue
      is simply browsers having everything including the kitchen sink thrown
      into them. They need to be streamlined , take out some of the eye candy
      and functionality hardly anyone uses and you're off to a better start.
      • Re: (Score:3, Insightful)

        by chrismcdirty (677039)
        I like how Firefox originally started as the slimmer, less resource-intensive version of Mozilla. And look where it is now.
      • These days it seems as though many programmers don't know assember. They don't know what it is program with limited amounts of memory and how to write tight and fast code. Part of it may be marketing checklists, but some of it is ignorance and lazyness.
  • *sigh* And I sincerely wanted to move to IE7 from Firefox just to be contrarian.
  • kind of a double edged sword. Its just so intellectually dishonest. Obviously they had found the hole before the release and were just waiting to try to embarrass MS.

    They claim they want to see secure MS software, but work against the industry practice of making software more secure and bug proof by withholding flaws they find.

    • I'm not sure if you're serious or not, but this bug was announced months ago in IE 6:
      The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.

      http://secunia.com/advisories/19738/ [secunia.com]
  • I have used ff for a few years now, and have been a fan. I presently run ff 2 RC3. I overall like ff, but I find besides the memory feature, that it is just slow and balky compared to IE (and I have tweaked the ff settings for speed). I really want to like ff more, but until it becomes a smoother experience, I will likely do most of my browing with IE7. As for being more secure, I just assume no matter what that any machine connected to the net is not secure and act accordingly.
  • Any publicity is good...good publicity is even better.

    Keep chatting it up, people. This is exactly what red-o-mundo' wants - how's it feel to be sooooo used, eh? :)
  • by Programmer_In_Traini (566499) on Thursday October 19, 2006 @10:39AM (#16502291)
    People will always find something. When you got hundreds of thousands of people checking your software for whatever issue they can find, odds are that they WILL find something. Just because its fun to bash MS doesnt mean its feasible to create a software with zero vulnerabilitise, that's impossible, new vulnerabilites are created each weeks.

    I mind much less IE's security than IE's compliance to w3 standards. now THAT is annoying. having constantly to create two versions of your code. one for the compliant browsers and then one for IE.

    For some reason, the suits at MS thinks that because lots of people use their software they have a moral obligation to tell people what the standards should be. Ok...I know IE7 is not as bad... but its still bad :-)
  • by DigitlDud (443365) on Thursday October 19, 2006 @11:33AM (#16503245)
    The exploit fails running on IE7 in Vista with protected mode.
  • by Trillan (597339) on Thursday October 19, 2006 @11:58AM (#16503647) Homepage Journal
    Dude, 24 hours is more secure for Internet Explorer.
  • Its not true (Score:3, Insightful)

    by Ultragames (1015699) on Thursday October 19, 2006 @01:46PM (#16505509)
    Here is the line of code they use to get the source of the said 3rd party page: request.open('GET', 'http://secu'+'nia.com/ie_redir_test_1/?' + Math.random(), true); Here is why this 'bug' does not do what they say it does: The browser does not allow AJAX style connetions to any domain outside of the one you are currently on. To 'get around this' Secunia has connected to a page on thier server which then goes and gets the code. Probaly using a readfile command. Here is why this is NOT a browser bug: The page that they are calling is on thier server which means that it does not have your cookies or your session data. The server page that they are opening can only view the page from the stand point of an not-logged-in user. This isn't a new trick that Secunia just invented, it is used quite often to get data from other websites. But the only way to log into another website in this manner is the have the server side page open a socket into that 3rd party page. This cannot be done, again, because their server does not have your cookie data. This is not a browser bug.
    • Re: (Score:3, Informative)

      by julesh (229690)
      That's not actually what they're doing. Try connecting to that address. Here's what you get:

      Trying 213.150.41.226...
      Connected to secunia.com.
      Escape character is '^]'.
      GET /ie_redir_test_1 HTTP/1.1
      Host: www.secunia.com
      Connection: close

      HTTP/1.1 302 Found
      Date: Thu, 19 Oct 2006 19:30:39 GMT
      Server: Apache
      location: http://secunia.com/ie_redir_test_1 [secunia.com]
      Connection: close
      Transfer-Encoding: chunked
      Content-Type: text/html

      0

      They're sending an HTTP redirect, and the browser's following it. It will then send the cookies fo

Whom computers would destroy, they must first drive mad.

Working...