Version: 2008

February 26, 2007 2:59 PM PST

Microsoft probes IE 7, Vista bug reports

  • 70 comments
Related Stories

Vista for the masses

April 4, 2007

Flaw found in Office 2007

February 23, 2007

Zero-day attack hits Word

February 15, 2007

Microsoft patches 20 security flaws

February 13, 2007

Microsoft to deliver patches by the dozen

February 8, 2007
Microsoft is investigating two recently disclosed security vulnerabilities that affect Internet Explorer 7 and Windows Vista, the company said Monday.

The vulnerabilities aren't considered high-risk, yet they affect the latest releases of Microsoft's Web browser and operating system software. Microsoft has promoted the security of both IE 7 and Windows Vista. The flaws could let attackers get their hands on sensitive user information, security experts have warned.

The French Security Incident Response Team said in an alert that the IE vulnerability, which also affects IE 6, could be exploited in phishing attacks, scams that try to trick people into giving up sensitive information such as credit card data and Social Security numbers. The problem exists because of an error in the way the browser handles certain "onunload" events, the security monitoring company said. Attackers could exploit the issue to spoof the browser address bar, FrSirt said.

The Windows issue is due to a problem with a component that does not properly validate user permissions. This could be exploited by an attacker with access to the machine to get information on protected files, according to a second FrSirt alert. The problem affects Windows Vista, XP, 2000 and Windows Server 2003, FrSirt said.

Microsoft is looking into both vulnerabilities, which were made public last week. Neither of the flaws has been used in any attacks and exploiting the issues is hard, a company representative said.

The IE flaw could only be exploited if an attacker were to lure a victim to a malicious Web site and then persuade the user to enter the address of a trusted site into the address bar. "Customers can avoid this attack by opening and using a new instance of IE before visiting an untrusted site," Microsoft said.

The Windows problem, aside from requiring the attacker to be logged on to the vulnerable computer, appears to only expose file information, not the actual contents of the file, Microsoft said.

Upon completion of its investigations, Microsoft may issue a security advisory or provide security updates through its monthly patch process, the representative said.

See more CNET content tagged:
attacker, Microsoft Internet Explorer 7, vulnerability, Microsoft Internet Explorer, Microsoft Windows Vista

Add a Comment (Log in or register) (70 Comments)
  • prev
  • 1
  • next
"It's our most secure operating system yet."
by extinctone February 26, 2007 3:39 PM PST
Can I get my money back?
Reply to this comment
It's funny...
by whizkid454 February 26, 2007 6:35 PM PST
How someone can fuss about an operating system that has only been out for less than a month? Of course everything is not going to be perfect on the first day. That's life. Give it time and better things will come of it. Can you compare it to XP yet? NO, because it hasn't had enough time to prove itself. If you upgraded from XP, shame on you! You should have waited until the bugs were cleared. Just read the Vista forum here on CNET and you'll see why I say that.
View all 2 replies
Why?
by herby67 February 26, 2007 10:11 PM PST
Did they say "it is perfect, it has no bugs at all" or they said it fas safer than XP?
In the same period since Vista's release (in october IIRC) Windows XP had about five critical vulnerabilities. Vista has had one report of one potential nonccritical vulnerability. And the other alternative OSs had their share also.
So why would you expect them to return your money? They delivered on their promise, at least so far.
View reply
LOL...
by RA_REBORN February 27, 2007 6:13 AM PST
THAT IS ABOUT AS LIKELY AS BEING ABLE TO RETURN THAT PIECE OF CRAP $600 XBOX 360 BETA THAT MICROSOFT LOVES TO CHARGE FOR (ENJOY THE KERNEL ERRORS ALONG WITH THE POWER SUPPLY FAILURES)...SUCKER!
LOL!
by pentium4forever February 27, 2007 8:29 AM PST
Well, Microsoft has to try and sell their product and market it. They have to "claim" that it's more secure. The User Account Control (UAC) feature makes it somewhat more secure although it's such a nag that I have it turned off. I'm using RC1 of Vista, which expires this May for me. I am in no rush to buy Vista, XP Pro works great for me.
They're openly admiting the truth!!!
by wbenton March 3, 2007 9:26 PM PST
They've finally come out and said that previous operating systems had even less security than Vista... but the stopped there.

They should have gone on and told just how insecure and vulnerable Vista is... but they won't.

Thus they're openly telling the world that pre-Vista OS'es were even more vulnerable... (* ROFLOL *)

Walt
"It's our most secure operating system yet."
by extinctone February 26, 2007 3:39 PM PST
Can I get my money back?
Reply to this comment
It's funny...
by whizkid454 February 26, 2007 6:35 PM PST
How someone can fuss about an operating system that has only been out for less than a month? Of course everything is not going to be perfect on the first day. That's life. Give it time and better things will come of it. Can you compare it to XP yet? NO, because it hasn't had enough time to prove itself. If you upgraded from XP, shame on you! You should have waited until the bugs were cleared. Just read the Vista forum here on CNET and you'll see why I say that.
View all 2 replies
Why?
by herby67 February 26, 2007 10:11 PM PST
Did they say "it is perfect, it has no bugs at all" or they said it fas safer than XP?
In the same period since Vista's release (in october IIRC) Windows XP had about five critical vulnerabilities. Vista has had one report of one potential nonccritical vulnerability. And the other alternative OSs had their share also.
So why would you expect them to return your money? They delivered on their promise, at least so far.
View reply
LOL...
by RA_REBORN February 27, 2007 6:13 AM PST
THAT IS ABOUT AS LIKELY AS BEING ABLE TO RETURN THAT PIECE OF CRAP $600 XBOX 360 BETA THAT MICROSOFT LOVES TO CHARGE FOR (ENJOY THE KERNEL ERRORS ALONG WITH THE POWER SUPPLY FAILURES)...SUCKER!
LOL!
by pentium4forever February 27, 2007 8:29 AM PST
Well, Microsoft has to try and sell their product and market it. They have to "claim" that it's more secure. The User Account Control (UAC) feature makes it somewhat more secure although it's such a nag that I have it turned off. I'm using RC1 of Vista, which expires this May for me. I am in no rush to buy Vista, XP Pro works great for me.
They're openly admiting the truth!!!
by wbenton March 3, 2007 9:26 PM PST
They've finally come out and said that previous operating systems had even less security than Vista... but the stopped there.

They should have gone on and told just how insecure and vulnerable Vista is... but they won't.

Thus they're openly telling the world that pre-Vista OS'es were even more vulnerable... (* ROFLOL *)

Walt
Why Do People Still Use IE?
by Stating February 26, 2007 5:19 PM PST
With the exception of a few laggard websites, why even bother using IE? It will always be the least secure of the bunch-o-browsers. It's not like you have to PAY for an alternative browser.
Reply to this comment
It's What Comes With the OS
by clindhartsen February 26, 2007 8:51 PM PST
In all respects, the vast majority of users out there are still the average mom, dad, grandparent, or early student who may not know alternatives exist and that they may be better than the auto-defacto already included in their OS. Still, FF has even been attacked for having weaknesses in the past and continues to be, which will probably continue as it's market share continues.

Really, IE 7 isn't a bad version of the browser, though I wonder how many unknowing people will run into the problem of XP automatically updating to it, then the browser not working due to some abnormal toolbar they didn't know they had. I had to fix atleast two computers where the IE7 upgrade was buggy, causing problems throughout the PC
View reply
Why do people still use safari?
by rapier1 February 27, 2007 8:02 AM PST
I'll say IE does have problems but at least it doesn't suck as much
as Safari. I'd like Firefox a lot more if its form widgets weren't so
damn ugly.

Oh, we all owe MS a debt of gratitude though. The tag that basically
drives all of our Web2.0 Ajax goodness was a non compliant tag
that MS inserted into IE 5.0.
Why Do People Still Use IE?
by Stating February 26, 2007 5:19 PM PST
With the exception of a few laggard websites, why even bother using IE? It will always be the least secure of the bunch-o-browsers. It's not like you have to PAY for an alternative browser.
Reply to this comment
It's What Comes With the OS
by clindhartsen February 26, 2007 8:51 PM PST
In all respects, the vast majority of users out there are still the average mom, dad, grandparent, or early student who may not know alternatives exist and that they may be better than the auto-defacto already included in their OS. Still, FF has even been attacked for having weaknesses in the past and continues to be, which will probably continue as it's market share continues.

Really, IE 7 isn't a bad version of the browser, though I wonder how many unknowing people will run into the problem of XP automatically updating to it, then the browser not working due to some abnormal toolbar they didn't know they had. I had to fix atleast two computers where the IE7 upgrade was buggy, causing problems throughout the PC
View reply
Why do people still use safari?
by rapier1 February 27, 2007 8:02 AM PST
I'll say IE does have problems but at least it doesn't suck as much
as Safari. I'd like Firefox a lot more if its form widgets weren't so
damn ugly.

Oh, we all owe MS a debt of gratitude though. The tag that basically
drives all of our Web2.0 Ajax goodness was a non compliant tag
that MS inserted into IE 5.0.
I have a quick solution
by ozidigga February 26, 2007 8:52 PM PST
It's a novel idea, pretty sure others have thought of it....delete IE from your desktop to help prevent clicking it by accident. Install Firefox and make it your default. IE bug is fixed. (Yes I know firefox is not perfect but it's a big improvement). Then you don't have to wait for M$ to fix problems like this. Personally I think M$ make a fine OS, but they should leave products like web browsers and security to those who don't have other distractions. M$ just have too many fingers in too many pies, many of their products are half baked.
Reply to this comment
It's Not That Bad!
by clindhartsen February 26, 2007 8:55 PM PST
In all respects, IE 7 is a perfectly good browser and actually operates on an equal level with FF in many areas. Sure, the tabbed browsing feeling is a touch off, and a few features FF has are not in IE 7 (I personally like having AdBlock in FF and "search as you type), but it largely works well and probably is going to be a nice upgrade for the other 80%+ of the market out there.
View all 3 replies
Really?
by herby67 February 26, 2007 10:07 PM PST
Firefox doesn't have any vulnerabilities? Amazing! I thought it was a bunch of cr*p, but if it doesn't have a single vulnerability then it is a completely different thing.
View all 2 replies
Install Firefox and make it your default. IE bug is fixed.
by wbenton March 3, 2007 9:29 PM PST
>>>Install Firefox and make it your default. IE bug is fixed.<<<

Not really. Every month when you apply a Microsoft Patch, they change the default browser back to IE again.

Microsoft should be forced to create a program that WOULD allow IE to be deleted entirely from their OS'es and also be forced to STOP making IE the default browser with every monthly patch they release!!!

Walt
I have a quick solution
by ozidigga February 26, 2007 8:52 PM PST
It's a novel idea, pretty sure others have thought of it....delete IE from your desktop to help prevent clicking it by accident. Install Firefox and make it your default. IE bug is fixed. (Yes I know firefox is not perfect but it's a big improvement). Then you don't have to wait for M$ to fix problems like this. Personally I think M$ make a fine OS, but they should leave products like web browsers and security to those who don't have other distractions. M$ just have too many fingers in too many pies, many of their products are half baked.
Reply to this comment
It's Not That Bad!
by clindhartsen February 26, 2007 8:55 PM PST
In all respects, IE 7 is a perfectly good browser and actually operates on an equal level with FF in many areas. Sure, the tabbed browsing feeling is a touch off, and a few features FF has are not in IE 7 (I personally like having AdBlock in FF and "search as you type), but it largely works well and probably is going to be a nice upgrade for the other 80%+ of the market out there.
View all 3 replies
Really?
by herby67 February 26, 2007 10:07 PM PST
Firefox doesn't have any vulnerabilities? Amazing! I thought it was a bunch of cr*p, but if it doesn't have a single vulnerability then it is a completely different thing.
View all 2 replies
Install Firefox and make it your default. IE bug is fixed.
by wbenton March 3, 2007 9:29 PM PST
>>>Install Firefox and make it your default. IE bug is fixed.<<<

Not really. Every month when you apply a Microsoft Patch, they change the default browser back to IE again.

Microsoft should be forced to create a program that WOULD allow IE to be deleted entirely from their OS'es and also be forced to STOP making IE the default browser with every monthly patch they release!!!

Walt
CallingID Toolbar automatically protects against these phishing holes
by ba_oren February 27, 2007 6:16 AM PST
The new phishing methods that can bypass the security shield of Internet explorer 7 are automatically detected by CallingID Toolbar because of its basic design of five security layers and the unique approach of positive identification and verification of sites which took into consideration possible loopholes in web browsers.
Reply to this comment
CallingID Toolbar automatically protects against these phishing holes
by ba_oren February 27, 2007 6:16 AM PST
The new phishing methods that can bypass the security shield of Internet explorer 7 are automatically detected by CallingID Toolbar because of its basic design of five security layers and the unique approach of positive identification and verification of sites which took into consideration possible loopholes in web browsers.
Reply to this comment
Use alternative browser
by pentium4forever February 27, 2007 8:26 AM PST
One solution is to use IE a lot less. Use an alternate browser like FF or Opera. There's some people that claim FF can't load hardly any pages right like IE. I know there's tons of pages that are built around IE's standards and such. I beg to differ. FF displays a lot more pages correctly than it used to, I'd almost say 90-95% are fine in FF. I use IE mostly for running Windows Update although there's a add-on somewhere that lets you run Windows Update in FF believe it or not.
Reply to this comment
Use alternative browser
by pentium4forever February 27, 2007 8:26 AM PST
One solution is to use IE a lot less. Use an alternate browser like FF or Opera. There's some people that claim FF can't load hardly any pages right like IE. I know there's tons of pages that are built around IE's standards and such. I beg to differ. FF displays a lot more pages correctly than it used to, I'd almost say 90-95% are fine in FF. I use IE mostly for running Windows Update although there's a add-on somewhere that lets you run Windows Update in FF believe it or not.
Reply to this comment
Internet Explorer.....to be discontinued?
by pentium4forever February 27, 2007 8:27 AM PST
Perhaps Microsoft should discontinue Internet Explorer. They seem to have to continue to work on it with fixes and such so often they probably don't get a chance to work on new projects as often as they wish.
Reply to this comment
They should AT LEAST...
by adsofiuasdfoi February 27, 2007 1:31 PM PST
unbundle it from the Operating System. That's just stupidity, pure and simple.

They should also discontinue support for ActiveX controls in IE. The only reason for using them is for Microsoft's idiotic Windows Update feature anyway.

And they should stick with support for the Sun Java VM. The Microsoft VM is a massive security flaw.
Internet Explorer.....to be discontinued?
by pentium4forever February 27, 2007 8:27 AM PST
Perhaps Microsoft should discontinue Internet Explorer. They seem to have to continue to work on it with fixes and such so often they probably don't get a chance to work on new projects as often as they wish.
Reply to this comment
They should AT LEAST...
by adsofiuasdfoi February 27, 2007 1:31 PM PST
unbundle it from the Operating System. That's just stupidity, pure and simple.

They should also discontinue support for ActiveX controls in IE. The only reason for using them is for Microsoft's idiotic Windows Update feature anyway.

And they should stick with support for the Sun Java VM. The Microsoft VM is a massive security flaw.
How can IE7 be any more secure..
by qwerty75 February 27, 2007 8:32 PM PST
...when it obviously has IE6 code?

Don't expect your house to stay up long when it is build on top of garbage.

If MS had even a slightest clue, they would have started over for IE7 and Vista.
Reply to this comment
How can IE7 be any more secure..
by qwerty75 February 27, 2007 8:32 PM PST
...when it obviously has IE6 code?

Don't expect your house to stay up long when it is build on top of garbage.

If MS had even a slightest clue, they would have started over for IE7 and Vista.
Reply to this comment
YOU CAN GET WINDOWS UPDATES WITH IE
by ozidigga February 27, 2007 10:32 PM PST
www.windizupdate.com
Reply to this comment
YOU CAN GET WINDOWS UPDATES WITH IE
by ozidigga February 27, 2007 10:32 PM PST
www.windizupdate.com
Reply to this comment
YOU CAN GET WINDOWS UPDATES WITHOUT IE
by ozidigga February 27, 2007 10:33 PM PST
www.windizupdate.com
Reply to this comment
YOU CAN GET WINDOWS UPDATES WITHOUT IE
by ozidigga February 27, 2007 10:33 PM PST
www.windizupdate.com
Reply to this comment
(70 Comments)
  • prev
  • 1
  • next
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets

Market news, charts, SEC filings, and more

Related quotes

Microsoft (0.53%) 0.16 30.52
Dow Jones Industrials (0.83%) 85.25 10,414.14
S&P 500 (1.05%) 11.58 1,114.05
NASDAQ (1.17%) 25.97 2,237.66
CNET TECH (1.04%) 16.71 1,623.98
  Symbol Lookup
advertisement

Inside CNET News

Scroll Left Scroll Right