October 30, 2006 8:09 AM PST

Another IE 7 pop-up problem discovered

Security researchers on Monday warned of a problem in Internet Explorer 7 that could allow malicious attackers to alter content in a legitimate Web site's pop-up window.

The browser issue could affect users who visit a trusted site by opening a pop-up window in that site that contains malicious code. This is the second IE 7 problem that has been discovered since Microsoft released the browser two weeks ago. Last week, a security flaw was discovered in IE 7 that could spoof the address of a pop-up window.

The two IE 7 security holes, if used in conjunction with each other, can easily dupe all but the most security-minded users, said Thomas Kristensen, chief technology officer of security company Secunia, which discovered the problems.

Secunia has classed the latest problem a security vulnerability, while Microsoft states the situation arises from "by-design behavior" in the browsers.

"The (Secunia) report describes a by-design behavior in popular Web browsers that allows a Web site to open or re-use a pop-up window," a Microsoft reprensentative said. "In Internet Explorer 7, the Web page's actual URL is displayed in a pop-up window address bar, enabling users to accurately make a trust decision."

Microsoft said that people who follow its safe browsing guidelines and verify an HTTPS connection before entering sensitive personal information can increase their ability to guard against an exploit.

Secunia rated the most recent flaw as "moderately critical" because viewing the content does not provide attackers access to a user's computer. But it can still prove harmful if a user enters sensitive information into the malicious pop-up window, such as credit card information, usernames or passwords, Kristensen noted.

The vulnerability is also rated moderately critical because it requires user interaction and affects only particular trusted Web sites.

Secunia noted that the security flaw can affect a fully patched system running IE 7 and Microsoft Windows XP Service Pack 2.

The security company advises users to avoid browsing untrusted sites while browsing sites that they trust.

See more CNET content tagged:
Microsoft Internet Explorer 7, attacker, security company, Microsoft Internet Explorer, security

33 comments

Join the conversation!
Add your comment
one flaw a week in IE7
... pretty good.
Posted by Hardrada (359 comments )
Reply Link Flag
Not bad at all
I was expecting a flood after it was released like we've seen with other browsers of late.

One flaw found so far. Not bad at all.
Posted by Vegaman_Dan (6683 comments )
Link Flag
IE7 yahoo security bug
I have updated my browser to IE 7. I signin using my login and password
and check my mails . I signout using the sign out link and get sign out
complete page with return to yahoo mail link on the top. On clicking
return to yahoo mail link I am redirected to my inbox without re-loging
in . This is a huge security concern.
Posted by realraghu (2 comments )
Link Flag
Hardly IE7
For the IE7 bashers out there this flaw is not a bug in IE7 it is associated with a Microsoft Office component.
Posted by SuperGhosty (4 comments )
Reply Link Flag
how do you know that ?
are you an IE7 developer ? i think you are refering to an older flaw reported the very next day IE7 got released.
Posted by Hardrada (359 comments )
Link Flag
not a bug its a feature?
So what you are saying is that its not a bug but a feature?

I think MS has said that before. ;)
Posted by guynamedalex (17 comments )
Link Flag
It's a _Microsoft_ bug
Integrate everything and ram it down a users throat, it doesn't matter which component contains the bug.
Posted by Microsoft_Facts (109 comments )
Link Flag
Create a separate WebSite or Blog for IE Flaws & update it once a day.
'cause This is not a 'news' anymore, this is becoming a day to day happening.
Posted by Gurpreet Joshi (9 comments )
Reply Link Flag
IE7, It's still the same quagmire.
IE's turning out to be the same old same o as IE6...!!!
Posted by imacpwr (456 comments )
Reply Link Flag
New number, same MS <lack of> quality!
Is there a single person here that didn't expect IE 7 to be different than any other Microsoft product?
Posted by Microsoft_Facts (109 comments )
Reply Link Flag
Sadly, a few
A few people actually believe when MS says anything. Even is areas that they have never done well: security and innovation are the two most prominent failures.

MS could say the moon is made of green cheese and these idiots will buy it.
Posted by qwerty75 (1164 comments )
Link Flag
Let me see if I understand correctly...
...how this bug can be used for phishing.
You have to navigate to a maliciuous site, which will have to open another window of a legal site, which will have to open a popup window requesting information from you.

Hm... I thought that IE7 has a popup blocker, which will prevent you from even seeing the controlled popup. At least for me it does.

And, even if you have the popup blocker off, how stupid you have to be to navigate say a porn or warez site, click on a link and see opening all of a sudden a window of your bank site which opens yet another window asking you for personal data, and you'd still be willing to provide the data?!

Alin
Posted by alinconstantin (20 comments )
Reply Link Flag
That was what I was thinking
IE6 was horrible for security there is really no question about it. However these 2 flaws that have been released seem to require a lot of user interaction and effort to actually work. IE7
Posted by Charleston Charge (362 comments )
Link Flag
That was what I was thinking
IE6 was horrible for security there is really no question about it. However these 2 flaws that have been released seem to require a lot of user interaction and effort to actually work. IE7 is still very young and time will only tell whether it's as bad as IE6, but as of now these "flaws" don't really seem that serious.
Posted by Charleston Charge (362 comments )
Link Flag
Education.... Education...
Surfing the web is just as safe as other aspects of your everyday life. For example, when you punch your pin number at public ATM situated in a porn shop. Or, when someone uses a stolen credit card at a convenience store and the 16-year old kid at the register doesn't ask for identification. Or even when you drive down to the nearby H&#38;R Block with a cardboard box filled with your personal financial data. There are many bigger security issues outside of the Internet we all face everyday.

Same thing with web browsers... Although every browser has its security flaws, many of these flaws can only be effective when the user "drops his guard". I believe that with formal education on surfing the Internet, along with critical thinking, reasoning and common sense skills, you can avoid just about all of these flaws.

To basically compare the Internet with the rest of your life, you've got to put things into perspective. A good part of living an Internet lifestyle is to 1) watch where you surf, 2) always be alert, and 3) be able to detect bulls**t when you see it.
Posted by groink_hi (380 comments )
Link Flag
Same problem affects Firefox 1.5 and 2.0
Vulnerability Affects Firefox and IE, New and Old
<a class="jive-link-external" href="http://www.betanews.com/article/Vulnerability_Affects_Firefox_and_IE_New_and_Old/1162235840" target="_newWindow">http://www.betanews.com/article/Vulnerability_Affects_Firefox_and_IE_New_and_Old/1162235840</a>
Posted by twagnerma (3 comments )
Reply Link Flag
Let's use some common sense
It doesn't really matter if you like or hate Microsoft, use Firefox or Opera, Apple, Linux, Windows etc. If you don't use common sense you will be ripped off. People have to know that if they don't see <a class="jive-link-external" href="https://" target="_newWindow">https://</a> they should NEVER input any personal information. They should never click INSTALL when they get an unsolicited request to "protect their PC" while surfing the web. They should never respond to an e-mail asking you to confirm your account even if it looks like it is coming from your bank.

People lose their life's savings on a daily basis to thieves that prey on those who don't use their common sense, even without Microsoft's or Apples help. This so-called flaw could be avoided by not putting your personal information into a pop-up. Sounds pretty easy huh?

It is very easy to point fingers when a little bit of common sense is all we need.
Posted by gigwerks (3 comments )
Reply Link Flag
No such thing as "common sense" for fanboys
All you said is true, but it's just much more fun to bash Microsoft.
Posted by Ryo Hazuki (378 comments )
Link Flag
RE: Common Sense
You want common sense how about this only a fool clicks on a pop up instead on linking directly to to the site i don't care if i see the HTTPS://
or not i only log on the the web site i type in not one handed me so it takes a few seconds more better safe than very sorry later.
Ignore the Pops and do it your self that way if there is a new update or download you get it direct not second hand!
Posted by grayfrier (63 comments )
Link Flag
Flaw or Exploit?
the browser is only doing what the web page tells it to do... redirect to another page. It was designed to work that way as other browsers do as well. This "flaw" affects Firefox as well yet I see no mention in the article. The title would be more accurate as "Browser pop-up flaw discovered". As an attacker cannot gain control of your computer (can only fool you as to what web page you are really on), and will only work on web pages designed to do so, I question the author of this article in his manner of reporting it.
Posted by Seaspray0 (9714 comments )
Reply Link Flag
CNet getting to be predictable..
You question the way it is reported? In typical cnet fashion it is biased against Microsoft, makes the story seem larger than it should be, and downplays the official response from Microsoft that its not so much a bug, as it is the browser doing what ANY BROWSER would do.
Posted by Pants Rabbit (3 comments )
Link Flag
What to do now
I have installed IE 7....so should I download IE 6 again and replace 7??????
Posted by ostmanm (1 comment )
Reply Link Flag
Mine Passed secunia's test...
Are we maybe starting to find out that IE 7 is a good browser after all?
Posted by mattumanu (599 comments )
Reply Link Flag
Bottom Line: Change Your Browser
&gt;&gt;&gt;The two IE 7 security holes, if used in conjunction with each other, can easily dupe all but the most security-minded users&lt;&lt;&lt;

NetScape v7.l, v7.2 and v8.0 are not vulnerabile.

Firefox v1.5 and v2.0 are not vulnerable.

But even if you don't use Outlook... IE7 is vulnerable. Except that Microsoft still gaffs it off as an Outlook bug even though it's been PROVEN to be exploitable!!!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
Bottom Line: Change Your Attitude
IE 7 has 0 security holes discovered until now and the its only security flaw discovered until now affects FF too aswell and the most it can do is to fool a newbie into thinking he/she is in a trusted/secure website when is in reality is not.

All version of Netscape and Firefox are vulnerable, with Firefox having had 107 found security flaws against 70 in IE6 (source: www.secunia.com). No matter what web browser you use, you are vulnerable, but, as numbers proove, IE has historically less security flaws than FF. Except that ignorants like you still gaff it off as an IE bug even though it hasn't even been exploited.
Posted by Ryo Hazuki (378 comments )
Link Flag
Regarding popup blockers using internet explorer version 7.0
Regarding popup blockers. Presently for old application we are using internet explorer version6.0. popup blockers need to be

turned off when using Internet Exploere version6.0. there is problem when user used by internet explorer7.0. For new

application will need to be entered into the Trusted Sites section because of having two or more pop-ups (when creating

reports), which IE7 is not allowing (it allows only one pop-up).
Posted by nhanumath (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.