Security researchers on Monday warned of a problem in Internet Explorer 7 that could allow malicious attackers to alter content in a legitimate Web site's pop-up window.
The two IE 7 security holes, if used in conjunction with each other, can easily dupe all but the most security-minded users, said Thomas Kristensen, chief technology officer of security company Secunia, which discovered the problems.
Secunia has classed the latest problem a security vulnerability, while Microsoft states the situation arises from "by-design behavior" in the browsers.
"The (Secunia) report describes a by-design behavior in popular Web browsers that allows a Web site to open or re-use a pop-up window," a Microsoft reprensentative said. "In Internet Explorer 7, the Web page's actual URL is displayed in a pop-up window address bar, enabling users to accurately make a trust decision."
Microsoft said that people who follow its safe browsing guidelines and verify an HTTPS connection before entering sensitive personal information can increase their ability to guard against an exploit.
Secunia rated the most recent flaw as "moderately critical" because viewing the content does not provide attackers access to a user's computer. But it can still prove harmful if a user enters sensitive information into the malicious pop-up window, such as credit card information, usernames or passwords, Kristensen noted.
The vulnerability is also rated moderately critical because it requires user interaction and affects only particular trusted Web sites.
Secunia noted that the security flaw can affect a fully patched system running IE 7 and Microsoft Windows XP Service Pack 2.
The security company advises users to avoid browsing untrusted sites while browsing sites that they trust.
I have updated my browser to IE 7. I signin using my login and password and check my mails . I signout using the sign out link and get sign out complete page with return to yahoo mail link on the top. On clicking return to yahoo mail link I am redirected to my inbox without re-loging in . This is a huge security concern.
A few people actually believe when MS says anything. Even is areas that they have never done well: security and innovation are the two most prominent failures.
MS could say the moon is made of green cheese and these idiots will buy it.
...how this bug can be used for phishing. You have to navigate to a maliciuous site, which will have to open another window of a legal site, which will have to open a popup window requesting information from you.
Hm... I thought that IE7 has a popup blocker, which will prevent you from even seeing the controlled popup. At least for me it does.
And, even if you have the popup blocker off, how stupid you have to be to navigate say a porn or warez site, click on a link and see opening all of a sudden a window of your bank site which opens yet another window asking you for personal data, and you'd still be willing to provide the data?!
IE6 was horrible for security there is really no question about it. However these 2 flaws that have been released seem to require a lot of user interaction and effort to actually work. IE7
IE6 was horrible for security there is really no question about it. However these 2 flaws that have been released seem to require a lot of user interaction and effort to actually work. IE7 is still very young and time will only tell whether it's as bad as IE6, but as of now these "flaws" don't really seem that serious.
Surfing the web is just as safe as other aspects of your everyday life. For example, when you punch your pin number at public ATM situated in a porn shop. Or, when someone uses a stolen credit card at a convenience store and the 16-year old kid at the register doesn't ask for identification. Or even when you drive down to the nearby H&R Block with a cardboard box filled with your personal financial data. There are many bigger security issues outside of the Internet we all face everyday.
Same thing with web browsers... Although every browser has its security flaws, many of these flaws can only be effective when the user "drops his guard". I believe that with formal education on surfing the Internet, along with critical thinking, reasoning and common sense skills, you can avoid just about all of these flaws.
To basically compare the Internet with the rest of your life, you've got to put things into perspective. A good part of living an Internet lifestyle is to 1) watch where you surf, 2) always be alert, and 3) be able to detect bulls**t when you see it.
Vulnerability Affects Firefox and IE, New and Old <a class="jive-link-external" href="http://www.betanews.com/article/Vulnerability_Affects_Firefox_and_IE_New_and_Old/1162235840" target="_newWindow">http://www.betanews.com/article/Vulnerability_Affects_Firefox_and_IE_New_and_Old/1162235840</a>
It doesn't really matter if you like or hate Microsoft, use Firefox or Opera, Apple, Linux, Windows etc. If you don't use common sense you will be ripped off. People have to know that if they don't see <a class="jive-link-external" href="https://" target="_newWindow">https://</a> they should NEVER input any personal information. They should never click INSTALL when they get an unsolicited request to "protect their PC" while surfing the web. They should never respond to an e-mail asking you to confirm your account even if it looks like it is coming from your bank.
People lose their life's savings on a daily basis to thieves that prey on those who don't use their common sense, even without Microsoft's or Apples help. This so-called flaw could be avoided by not putting your personal information into a pop-up. Sounds pretty easy huh?
It is very easy to point fingers when a little bit of common sense is all we need.
You want common sense how about this only a fool clicks on a pop up instead on linking directly to to the site i don't care if i see the HTTPS:// or not i only log on the the web site i type in not one handed me so it takes a few seconds more better safe than very sorry later. Ignore the Pops and do it your self that way if there is a new update or download you get it direct not second hand!
the browser is only doing what the web page tells it to do... redirect to another page. It was designed to work that way as other browsers do as well. This "flaw" affects Firefox as well yet I see no mention in the article. The title would be more accurate as "Browser pop-up flaw discovered". As an attacker cannot gain control of your computer (can only fool you as to what web page you are really on), and will only work on web pages designed to do so, I question the author of this article in his manner of reporting it.
You question the way it is reported? In typical cnet fashion it is biased against Microsoft, makes the story seem larger than it should be, and downplays the official response from Microsoft that its not so much a bug, as it is the browser doing what ANY BROWSER would do.
>>>The two IE 7 security holes, if used in conjunction with each other, can easily dupe all but the most security-minded users<<<
NetScape v7.l, v7.2 and v8.0 are not vulnerabile.
Firefox v1.5 and v2.0 are not vulnerable.
But even if you don't use Outlook... IE7 is vulnerable. Except that Microsoft still gaffs it off as an Outlook bug even though it's been PROVEN to be exploitable!!!
IE 7 has 0 security holes discovered until now and the its only security flaw discovered until now affects FF too aswell and the most it can do is to fool a newbie into thinking he/she is in a trusted/secure website when is in reality is not.
All version of Netscape and Firefox are vulnerable, with Firefox having had 107 found security flaws against 70 in IE6 (source: www.secunia.com). No matter what web browser you use, you are vulnerable, but, as numbers proove, IE has historically less security flaws than FF. Except that ignorants like you still gaff it off as an IE bug even though it hasn't even been exploited.
Chinese authorities have reportedly taken iPads from a third-party retailer, a move apparently brought on by Apple's continued refusal to honor a trademark for the iPad name owned by a Chinese manufacturer.
NY professor believes that a word-based algorithm can help bring together those who believe, with one glimpse, that they have found and lost the love of their lives.
After a higher-than-expected fourth quarter, the video subscription service unburdens itself of a pending yearlong class action suit and settles for $9 million.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
This week, we pass around Sony's new PlayStation Vita for some hands-on testing, check out HP's newest Beats Audio laptop, and debate the best and worst Valentine's Day gadget gifts.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
One flaw found so far. Not bad at all.
and check my mails . I signout using the sign out link and get sign out
complete page with return to yahoo mail link on the top. On clicking
return to yahoo mail link I am redirected to my inbox without re-loging
in . This is a huge security concern.
I think MS has said that before. ;)
MS could say the moon is made of green cheese and these idiots will buy it.
You have to navigate to a maliciuous site, which will have to open another window of a legal site, which will have to open a popup window requesting information from you.
Hm... I thought that IE7 has a popup blocker, which will prevent you from even seeing the controlled popup. At least for me it does.
And, even if you have the popup blocker off, how stupid you have to be to navigate say a porn or warez site, click on a link and see opening all of a sudden a window of your bank site which opens yet another window asking you for personal data, and you'd still be willing to provide the data?!
Alin
Same thing with web browsers... Although every browser has its security flaws, many of these flaws can only be effective when the user "drops his guard". I believe that with formal education on surfing the Internet, along with critical thinking, reasoning and common sense skills, you can avoid just about all of these flaws.
To basically compare the Internet with the rest of your life, you've got to put things into perspective. A good part of living an Internet lifestyle is to 1) watch where you surf, 2) always be alert, and 3) be able to detect bulls**t when you see it.
<a class="jive-link-external" href="http://www.betanews.com/article/Vulnerability_Affects_Firefox_and_IE_New_and_Old/1162235840" target="_newWindow">http://www.betanews.com/article/Vulnerability_Affects_Firefox_and_IE_New_and_Old/1162235840</a>
People lose their life's savings on a daily basis to thieves that prey on those who don't use their common sense, even without Microsoft's or Apples help. This so-called flaw could be avoided by not putting your personal information into a pop-up. Sounds pretty easy huh?
It is very easy to point fingers when a little bit of common sense is all we need.
or not i only log on the the web site i type in not one handed me so it takes a few seconds more better safe than very sorry later.
Ignore the Pops and do it your self that way if there is a new update or download you get it direct not second hand!
NetScape v7.l, v7.2 and v8.0 are not vulnerabile.
Firefox v1.5 and v2.0 are not vulnerable.
But even if you don't use Outlook... IE7 is vulnerable. Except that Microsoft still gaffs it off as an Outlook bug even though it's been PROVEN to be exploitable!!!
Walt
All version of Netscape and Firefox are vulnerable, with Firefox having had 107 found security flaws against 70 in IE6 (source: www.secunia.com). No matter what web browser you use, you are vulnerable, but, as numbers proove, IE has historically less security flaws than FF. Except that ignorants like you still gaff it off as an IE bug even though it hasn't even been exploited.
turned off when using Internet Exploere version6.0. there is problem when user used by internet explorer7.0. For new
application will need to be entered into the Trusted Sites section because of having two or more pop-ups (when creating
reports), which IE7 is not allowing (it allows only one pop-up).