IE7 Vulnerability Discovered 386
slidersv writes "Not 24 hours after the release of IE7, Secunia reports Internet Explorer Arbitrary Content Disclosure Vulnerability. So much for the "you wanted it easier and more secure" slogan found on Microsoft's IE Website."
Old exploit (Score:5, Informative)
Re:This is news??? (Score:4, Informative)
It's already been done [slashdot.org] and found to be a hoax [slashdot.org].
Anything else you want to complain about?
Let's be fair (Score:5, Informative)
Come on (Score:3, Informative)
Re:two words (Score:2, Informative)
IE7 maybe not vulnerable? (Score:5, Informative)
Not an MS fan, but truth and accuracy are always good.
Re:IE7 maybe not vulnerable? (Score:4, Informative)
http://secunia.com/advisories/22477/ [secunia.com]
Re:Firefox (Score:4, Informative)
Excuse, but where did you read that FF has that exact same vulnerability?
Also, even though FF does have issues, I believe you'll be hard pressed to find a vulnerability in FF that has been known for years and still gone unfixed. (According to heise on http://www.heise-security.co.uk/news/79745 [heise-security.co.uk] this is actually an old bug that also affects IE 6)
Re:two words (Score:3, Informative)
FireTroll or TrollFox... nope, just a good idea (Score:2, Informative)
It's a serious point. You could make a lite version. Lots of people would give it a try, me included. And there have already been forks of Firefox, like IceWeasel and Tor Park.
If it were talking about forking IE, it should be labeled "joke". As it's talking about Open Source stuff, it should be "insigtful".
Re:two words (Score:4, Informative)
blabla.tld.
http://www.google.com/ [google.com]
http://www.google.com./ [www.google.com]
Both work.
Brillant Link. (Score:4, Informative)
Paula's Brillant Bean:
http://thedailywtf.com/forums/40043/ShowPost.aspx [thedailywtf.com]
Re:Come on (Score:5, Informative)
Doesn't work on Vista (Score:3, Informative)
Re:Memory leaks (Score:3, Informative)
Which version? (Score:2, Informative)
So just what version are you discussing here?
What about that IE7 registry key to block setup? (Score:2, Informative)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\7.0]
"DoNotAllowIE70"=dword:00000001
I had thought it would categorically deny even the downloaded setup file, not just setups that were (eventually) launched from inside WindowsUpdate.
Re:Browsers are just too complex (Score:3, Informative)
Like this: http://www.websiteoptimization.com/speed/tweak/co
Re:Its not true (Score:3, Informative)
Trying 213.150.41.226...
Connected to secunia.com.
Escape character is '^]'.
GET
Host: www.secunia.com
Connection: close
HTTP/1.1 302 Found
Date: Thu, 19 Oct 2006 19:30:39 GMT
Server: Apache
location: http://secunia.com/ie_redir_test_1 [secunia.com]
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
0
They're sending an HTTP redirect, and the browser's following it. It will then send the cookies for the redirected URL to the server, and the server will return data expecting it to go into its own security context. This does allow data stealing.
Not an IE flaw, but an Outlook Express flaw (Score:0, Informative)
MS: IE7 Flaw Really in Outlook Express
By Nate Mook, BetaNews
October 19, 2006, 4:46 PM
Microsoft responded Thursday to reports of the first exploit affecting Internet Explorer 7, which cropped up less than 24 hours after the browser's official launch. Christopher Budd from Microsoft's Security Response Center says the flaw lies not in IE7, but in an Outlook Express component.
This fact could explain why the problem first surfaced back in November 2003 and was found to affect IE6 last April. "While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express," Budd said. Microsoft notes it has received no reports of any attacks against customers, but is investigating the situation and may release a patch if necessary.
Re:Let's be fair (Score:4, Informative)