IE7 Vulnerability Discovered

slidersv writes "Not 24 hours after the release of IE7, Secunia reports Internet Explorer Arbitrary Content Disclosure Vulnerability. So much for the "you wanted it easier and more secure" slogan found on Microsoft's IE Website."

Browsers are just too complex

[cliffski]

Thats the root of the problem. I'd wager 90% of the functioanlity for browsers is only used by 5% of end users. Granted a lot of stuff is demanded by web develoeprs who want fancy this, animated that, and sliding and fading the other, but to be honest, most of us dont need any of that junk.
As end users, how much of browser bloat do we really need?
I think there was a slashdot story asking for feature requests for firefox recently. my main request is this please:

less of everything

Its already at the case where im starting to notice how long it takes firefox to start. Sometimes more features does not mean better. Its like anything, cars, mobile phones, TVs, they all have major feature bloat.
I found it actually impossible to buy a new mobile *without* internet access. Its insane. i remember when you didnt have an animated 'startup' screen for your phone, because the damned things just switched on.

Feature bloat -> just say no :D

Not much of a surprise

[Salvance]

This shouldn't be too much of a suprise ... how many software products are 100% bug free when released, particularly Microsoft's? Anyone who downloads or buys any software within the first few weeks is just asking for it ... and anyone who buys a Microsoft product within the first year is bound to have issues, whether security breaches or just annoying bugs.

Active Scripting

[DoomfrogBW]

This has been a problem in Internet Explorer for a while (IE 6 and prior versions). Most people turn off Active Scripting because of the vulnerabilities. You can disable it and have "trusted" sites for those sites which you want to enable active scripting like http://windowsupdate.microsoft.com./ [windowsupd...rosoft.com]

Re:Firefox

[QBasicer]

We get a quarter, actually. Obviously people are going to defend what they like. I like Firefox, although I never used to. I used to hate Mozilla, Netscape and family. I used Opera for a while, but I just don't like IE. I'm sure the day is soon coming when FireFox will have exploit after exploit.

Re:Old exploit

[otacon]

That is all the more reason to be concerned about it. If the flaw was known in IE6 then why in the world wouldn't it have been addressed in IE7, I mean they've been working on it for half the decade for crying out loud.

Re:This is news???

[shadowmas]

the problem isn't so much as not having bugs in FF but the fact that MS is trying to make it look like the new IE is revolutionary and secure than FF.

Re:Browsers are just too complex

[acvh]

While I agree with your No Bloat argument, you neglected an oft overlooked reason that IE contains all these "features", and it's not web developers. It's application developers. There are a slew of vertical market applications that many small to midsize companies are using, where the developer has dropped, or maybe never had, its own user interface, in favor of using IE and ActiveX controls. Insurance brokerages, medical practices, law firms and more, all of them have large, commercial, expensive applications available to them for running their businesses, and many of them are IE based. IE in these cases is just the front end to data stores running on everything from SQL Server on Intel to AIX on Power to whatever. Many times with no Internet connectivity at all.

MSFT can't just disable, drop or change these features, because doing so could break an enter business. So they just pile up more and more code into an already chaotic program.

Helllloo?

[thepotoo]

Last time I checked, Firefox was open source. You are more than welcome to fork the project and make a "lite" version. I would probably give it a try.

But, don't forget that if you strip away too much, you'll end up with Lynx. Some people like at least images and css, you know?

Re:Browsers are just too complex

[AKAImBatman]

Thats the root of the problem. I'd wager 90% of the functioanlity for browsers is only used by 5% of end users.

You would lose that wager. 80%+ of the technology that makes web browsers tick is required just to show you a blasted web page. The standardized APIs allow a good way for JavaScript to then make those pages interactive. Not too many sites are JavaScript-free these days.

What I think you're trying to say, is that features above and beyond the W3C standards are:

1. Not useful
2. Poor attempts at lockin
3. Dangerous

If Microsoft would just stick to the bloody standards, we'd all be better off. Unfortunately, they're still in 1995 mode, trying to beat Netscape at their own propertization game. It wouldn't surprise me if the requests for DOM 2 Events support were STILL ignored in this "final" release of IE7. *grumble* And Microsoft thinks developers will like them because of this?

FYP

[tygerstripes]

I would not trust IE unless it is rewritten from scratch.

...by someone else.

Re:Firefox

[diersing]

And if you were honest you wouldn't be hiding behind the AC label.

That should not affect security!

[KillQuentin]

Maybe IE is bloated - but this is often the fate of a successful application.

Surely it must be possible to structure the system so that the threat caused by any application going crazy/malicious, can be contained?

This is the system architecture issue that is wider than just a browser.

There will always be issues

[Programmer_In_Traini]

People will always find something. When you got hundreds of thousands of people checking your software for whatever issue they can find, odds are that they WILL find something. Just because its fun to bash MS doesnt mean its feasible to create a software with zero vulnerabilitise, that's impossible, new vulnerabilites are created each weeks.

I mind much less IE's security than IE's compliance to w3 standards. now THAT is annoying. having constantly to create two versions of your code. one for the compliant browsers and then one for IE.

For some reason, the suits at MS thinks that because lots of people use their software they have a moral obligation to tell people what the standards should be. Ok...I know IE7 is not as bad... but its still bad :-)

Re:"Suprise, Suprise, Suprise" -- Gomer Pyle.

[chrismcdirty]

I like how Firefox originally started as the slimmer, less resource-intensive version of Mozilla. And look where it is now.

Not poor programmers?

[www.sorehands.com]

These days it seems as though many programmers don't know assember. They don't know what it is program with limited amounts of memory and how to write tight and fast code. Part of it may be marketing checklists, but some of it is ignorance and lazyness.

Re:Old exploit

[Overly Critical Guy]

Well, you could argue that it was quickly discovered to still exist in IE7. Interestingly, this vulnerability contradicts claims that IE7 is a rewrite. Clearly, it is not.

Re:Let's be fair

[Overly Critical Guy]

That makes it worse. Not only is IE7 not a "rewrite" as some claimed, but it doesn't fix known vulnerabilities in its previous version. At least if it was new code, you could understand and expect an unknown vulnerability.

Re:Browsers are just too complex

[cliffski]

hang on, my dad has a Razor phone, thats exactly the kind of thing I didnt want. thats bloatware extreme. I dont want web acecss, or even the option for it, or the buttons for it, or anything. Not a camera, not a microphone, nada. zip.
I just want a phone. to make and recieve calls. I dont even text.

I know I know, Im old.

Re:Vista RC2

[Chosen Reject]

So an old vulnerability that was already known in IE6 shows up in IE7 and we're not supposed to be worried? There is this concept called credibility. It relates to someone's trustability. Not that Microsoft had a lot of it before, but when there new fangled browser that is so much more secure still contains a vulnerability from 6 months ago, IE7 starts with a default of ZERO credibility.

Re:Come on

[Idaho]

It's a "Less critical" vulnerability - not really dangerous at all.

Uhm, hello!?

Using this hole any arbitrary website you visit can request pages from arbitrary other websites *through your browser*, that means including sites to which you may be logged in at the time. For example, your bank account, paypal account, ebay account. They don't even *need* to steal your password if you still have open sessions at sites that matter...

I rather fail to see how this is "not really dangerous at all"!

Re:Firefox

[gkhan1]

He has made 291 comments in the past. He has a number of fans and a number of freaks. He has made comments that some people like and some people don't like, and no matter what he stands for it, by using his account. You're a coward because you make trollish comments and don't have the balls to stand for what you say. You're worried that some people might use your comments against you in a future discussion, or you're worried that this might harm your karma.

The difference? He's a man that's not afraid to stand by what he said, you're a small boy that runs around a creates a mess and then blames some one else. If you have any sort of backbone and not a spine made of jello, you should reveal your username. No? I figured you wouldn't.

Re:Actually, what's wrong with http? its overloade

[Anonymous Coward]

It's funny to see how snotty the purists get when their tech is hacked and abused to do things it wasn't "intended" to do. Especially when these same folk revel in doing it to other things.

Seriously, get with the fucking program - the people have spoken and this is what they want. No one gives a fuck all about HTTP being for text only. Shut up or get off.

Re:Let's be fair

[poulbailey]

Not only is IE7 not a "rewrite" as some claimed

That's the second time you've said this. Who exactly claimed IE7 was a rewrite? Microsoft or the voices in your head?

Its not true

[Ultragames]

Here is the line of code they use to get the source of the said 3rd party page: request.open('GET', 'http://secu'+'nia.com/ie_redir_test_1/?' + Math.random(), true); Here is why this 'bug' does not do what they say it does: The browser does not allow AJAX style connetions to any domain outside of the one you are currently on. To 'get around this' Secunia has connected to a page on thier server which then goes and gets the code. Probaly using a readfile command. Here is why this is NOT a browser bug: The page that they are calling is on thier server which means that it does not have your cookies or your session data. The server page that they are opening can only view the page from the stand point of an not-logged-in user. This isn't a new trick that Secunia just invented, it is used quite often to get data from other websites. But the only way to log into another website in this manner is the have the server side page open a socket into that 3rd party page. This cannot be done, again, because their server does not have your cookie data. This is not a browser bug.

Re:two words

[PhrostyMcByte]

How much you want to bet this guy found the vuln weeks ago, but held off on releasing it so he could brag that he discovered the first IE7 vuln, and it only took him less than 24hr!

Re:two words

[PylonHead]

Yes, you're right.. it is traditional when releasing a new version of software to THROW OUT ALL YOUR CODE AND START OVER FROM SCRATCH.

I love it when people in the cake decorating industry post to slash dot.