Another IE 7 pop-up problem discovered

Security researchers on Monday warned of a problem in Internet Explorer 7 that could allow malicious attackers to alter content in a legitimate Web site's pop-up window.

The browser issue could affect users who visit a trusted site by opening a pop-up window in that site that contains malicious code. This is the second IE 7 problem that has been discovered since Microsoft released the browser two weeks ago. Last week, a security flaw was discovered in IE 7 that could spoof the address of a pop-up window.

The two IE 7 security holes, if used in conjunction with each other, can easily dupe all but the most security-minded users, said Thomas Kristensen, chief technology officer of security company Secunia, which discovered the problems.

Secunia has classed the latest problem a security vulnerability, while Microsoft states the situation arises from "by-design behavior" in the browsers.

"The (Secunia) report describes a by-design behavior in popular Web browsers that allows a Web site to open or re-use a pop-up window," a Microsoft reprensentative said. "In Internet Explorer 7, the Web page's actual URL is displayed in a pop-up window address bar, enabling users to accurately make a trust decision."

Microsoft said that people who follow its safe browsing guidelines and verify an HTTPS connection before entering sensitive personal information can increase their ability to guard against an exploit.

Secunia rated the most recent flaw as "moderately critical" because viewing the content does not provide attackers access to a user's computer. But it can still prove harmful if a user enters sensitive information into the malicious pop-up window, such as credit card information, usernames or passwords, Kristensen noted.

The vulnerability is also rated moderately critical because it requires user interaction and affects only particular trusted Web sites.

Secunia noted that the security flaw can affect a fully patched system running IE 7 and Microsoft Windows XP Service Pack 2.

The security company advises users to avoid browsing untrusted sites while browsing sites that they trust.

[Hardrada]

one flaw a week in IE7

... pretty good.

[Vegaman_Dan]

Not bad at all

I was expecting a flood after it was released like we've seen with other browsers of late.

One flaw found so far. Not bad at all.

[realraghu]

IE7 yahoo security bug

I have updated my browser to IE 7. I signin using my login and password
and check my mails . I signout using the sign out link and get sign out
complete page with return to yahoo mail link on the top. On clicking
return to yahoo mail link I am redirected to my inbox without re-loging
in . This is a huge security concern.

[SuperGhosty]

Hardly IE7

For the IE7 bashers out there this flaw is not a bug in IE7 it is associated with a Microsoft Office component.

[Hardrada]

how do you know that ?

are you an IE7 developer ? i think you are refering to an older flaw reported the very next day IE7 got released.

[guynamedalex]

not a bug its a feature?

So what you are saying is that its not a bug but a feature?

I think MS has said that before. ;)

[Microsoft_Facts]

It's a _Microsoft_ bug

Integrate everything and ram it down a users throat, it doesn't matter which component contains the bug.

[Gurpreet Joshi]

Create a separate WebSite or Blog for IE Flaws & update it once a day.

'cause This is not a 'news' anymore, this is becoming a day to day happening.

[imacpwr]

IE7, It's still the same quagmire.

IE's turning out to be the same old same o as IE6...!!!

[Microsoft_Facts]

New number, same MS <lack of> quality!

Is there a single person here that didn't expect IE 7 to be different than any other Microsoft product?

[qwerty75]

Sadly, a few

A few people actually believe when MS says anything. Even is areas that they have never done well: security and innovation are the two most prominent failures.

MS could say the moon is made of green cheese and these idiots will buy it.

[alinconstantin]

Let me see if I understand correctly...

...how this bug can be used for phishing.
You have to navigate to a maliciuous site, which will have to open another window of a legal site, which will have to open a popup window requesting information from you.

Hm... I thought that IE7 has a popup blocker, which will prevent you from even seeing the controlled popup. At least for me it does.

And, even if you have the popup blocker off, how stupid you have to be to navigate say a porn or warez site, click on a link and see opening all of a sudden a window of your bank site which opens yet another window asking you for personal data, and you'd still be willing to provide the data?!

Alin

[Charleston Charge]

That was what I was thinking

IE6 was horrible for security there is really no question about it. However these 2 flaws that have been released seem to require a lot of user interaction and effort to actually work. IE7

[Charleston Charge]

That was what I was thinking

IE6 was horrible for security there is really no question about it. However these 2 flaws that have been released seem to require a lot of user interaction and effort to actually work. IE7 is still very young and time will only tell whether it's as bad as IE6, but as of now these "flaws" don't really seem that serious.

[groink_hi]

Education.... Education...

Surfing the web is just as safe as other aspects of your everyday life. For example, when you punch your pin number at public ATM situated in a porn shop. Or, when someone uses a stolen credit card at a convenience store and the 16-year old kid at the register doesn't ask for identification. Or even when you drive down to the nearby H&R Block with a cardboard box filled with your personal financial data. There are many bigger security issues outside of the Internet we all face everyday.

Same thing with web browsers... Although every browser has its security flaws, many of these flaws can only be effective when the user "drops his guard". I believe that with formal education on surfing the Internet, along with critical thinking, reasoning and common sense skills, you can avoid just about all of these flaws.

To basically compare the Internet with the rest of your life, you've got to put things into perspective. A good part of living an Internet lifestyle is to 1) watch where you surf, 2) always be alert, and 3) be able to detect bulls**t when you see it.

[twagnerma]

Same problem affects Firefox 1.5 and 2.0

Vulnerability Affects Firefox and IE, New and Old
http://www.betanews.com/article/Vulnerability_Affects_Firefox_and_IE_New_and_Old/1162235840

[gigwerks]

Let's use some common sense

It doesn't really matter if you like or hate Microsoft, use Firefox or Opera, Apple, Linux, Windows etc. If you don't use common sense you will be ripped off. People have to know that if they don't see https:// they should NEVER input any personal information. They should never click INSTALL when they get an unsolicited request to "protect their PC" while surfing the web. They should never respond to an e-mail asking you to confirm your account even if it looks like it is coming from your bank.

People lose their life's savings on a daily basis to thieves that prey on those who don't use their common sense, even without Microsoft's or Apples help. This so-called flaw could be avoided by not putting your personal information into a pop-up. Sounds pretty easy huh?

It is very easy to point fingers when a little bit of common sense is all we need.

[Ryo Hazuki]

No such thing as "common sense" for fanboys

All you said is true, but it's just much more fun to bash Microsoft.

[grayfrier]

RE: Common Sense

You want common sense how about this only a fool clicks on a pop up instead on linking directly to to the site i don't care if i see the HTTPS://
or not i only log on the the web site i type in not one handed me so it takes a few seconds more better safe than very sorry later.
Ignore the Pops and do it your self that way if there is a new update or download you get it direct not second hand!

[Seaspray0]

Flaw or Exploit?

the browser is only doing what the web page tells it to do... redirect to another page. It was designed to work that way as other browsers do as well. This "flaw" affects Firefox as well yet I see no mention in the article. The title would be more accurate as "Browser pop-up flaw discovered". As an attacker cannot gain control of your computer (can only fool you as to what web page you are really on), and will only work on web pages designed to do so, I question the author of this article in his manner of reporting it.

[Pants Rabbit]

CNet getting to be predictable..

You question the way it is reported? In typical cnet fashion it is biased against Microsoft, makes the story seem larger than it should be, and downplays the official response from Microsoft that its not so much a bug, as it is the browser doing what ANY BROWSER would do.

[ostmanm]

What to do now

I have installed IE 7....so should I download IE 6 again and replace 7??????

[mattumanu]

Mine Passed secunia's test...

Are we maybe starting to find out that IE 7 is a good browser after all?

[wbenton]

Bottom Line: Change Your Browser

>>>The two IE 7 security holes, if used in conjunction with each other, can easily dupe all but the most security-minded users<<<

NetScape v7.l, v7.2 and v8.0 are not vulnerabile.

Firefox v1.5 and v2.0 are not vulnerable.

But even if you don't use Outlook... IE7 is vulnerable. Except that Microsoft still gaffs it off as an Outlook bug even though it's been PROVEN to be exploitable!!!

Walt

[Ryo Hazuki]

Bottom Line: Change Your Attitude

IE 7 has 0 security holes discovered until now and the its only security flaw discovered until now affects FF too aswell and the most it can do is to fool a newbie into thinking he/she is in a trusted/secure website when is in reality is not.

All version of Netscape and Firefox are vulnerable, with Firefox having had 107 found security flaws against 70 in IE6 (source: www.secunia.com). No matter what web browser you use, you are vulnerable, but, as numbers proove, IE has historically less security flaws than FF. Except that ignorants like you still gaff it off as an IE bug even though it hasn't even been exploited.

[nhanumath]

Regarding popup blockers using internet explorer version 7.0

Regarding popup blockers. Presently for old application we are using internet explorer version6.0. popup blockers need to be

turned off when using Internet Exploere version6.0. there is problem when user used by internet explorer7.0. For new

application will need to be entered into the Trusted Sites section because of having two or more pop-ups (when creating

reports), which IE7 is not allowing (it allows only one pop-up).