February 26, 2007 2:59 PM PST

Microsoft probes IE 7, Vista bug reports

Related Stories

Vista for the masses

April 4, 2007

Flaw found in Office 2007

February 23, 2007

Zero-day attack hits Word

February 15, 2007

Microsoft patches 20 security flaws

February 13, 2007

Microsoft to deliver patches by the dozen

February 8, 2007
Microsoft is investigating two recently disclosed security vulnerabilities that affect Internet Explorer 7 and Windows Vista, the company said Monday.

The vulnerabilities aren't considered high-risk, yet they affect the latest releases of Microsoft's Web browser and operating system software. Microsoft has promoted the security of both IE 7 and Windows Vista. The flaws could let attackers get their hands on sensitive user information, security experts have warned.

The French Security Incident Response Team said in an alert that the IE vulnerability, which also affects IE 6, could be exploited in phishing attacks, scams that try to trick people into giving up sensitive information such as credit card data and Social Security numbers. The problem exists because of an error in the way the browser handles certain "onunload" events, the security monitoring company said. Attackers could exploit the issue to spoof the browser address bar, FrSirt said.

The Windows issue is due to a problem with a component that does not properly validate user permissions. This could be exploited by an attacker with access to the machine to get information on protected files, according to a second FrSirt alert. The problem affects Windows Vista, XP, 2000 and Windows Server 2003, FrSirt said.

Microsoft is looking into both vulnerabilities, which were made public last week. Neither of the flaws has been used in any attacks and exploiting the issues is hard, a company representative said.

The IE flaw could only be exploited if an attacker were to lure a victim to a malicious Web site and then persuade the user to enter the address of a trusted site into the address bar. "Customers can avoid this attack by opening and using a new instance of IE before visiting an untrusted site," Microsoft said.

The Windows problem, aside from requiring the attacker to be logged on to the vulnerable computer, appears to only expose file information, not the actual contents of the file, Microsoft said.

Upon completion of its investigations, Microsoft may issue a security advisory or provide security updates through its monthly patch process, the representative said.

See more CNET content tagged:
attacker, Microsoft Internet Explorer 7, vulnerability, Microsoft Internet Explorer, Microsoft Windows Vista

70 comments

Join the conversation!
Add your comment
"It's our most secure operating system yet."
Can I get my money back?
Posted by extinctone (214 comments )
Reply Link Flag
It's funny...
How someone can fuss about an operating system that has only been out for less than a month? Of course everything is not going to be perfect on the first day. That's life. Give it time and better things will come of it. Can you compare it to XP yet? NO, because it hasn't had enough time to prove itself. If you upgraded from XP, shame on you! You should have waited until the bugs were cleared. Just read the Vista forum here on CNET and you'll see why I say that.
Posted by whizkid454 (157 comments )
Link Flag
Why?
Did they say "it is perfect, it has no bugs at all" or they said it fas safer than XP?
In the same period since Vista's release (in october IIRC) Windows XP had about five critical vulnerabilities. Vista has had one report of one potential nonccritical vulnerability. And the other alternative OSs had their share also.
So why would you expect them to return your money? They delivered on their promise, at least so far.
Posted by herby67 (144 comments )
Link Flag
LOL...
THAT IS ABOUT AS LIKELY AS BEING ABLE TO RETURN THAT PIECE OF CRAP $600 XBOX 360 BETA THAT MICROSOFT LOVES TO CHARGE FOR (ENJOY THE KERNEL ERRORS ALONG WITH THE POWER SUPPLY FAILURES)...SUCKER!
Posted by RA_REBORN (17 comments )
Link Flag
LOL!
Well, Microsoft has to try and sell their product and market it. They have to "claim" that it's more secure. The User Account Control (UAC) feature makes it somewhat more secure although it's such a nag that I have it turned off. I'm using RC1 of Vista, which expires this May for me. I am in no rush to buy Vista, XP Pro works great for me.
Posted by pentium4forever (192 comments )
Link Flag
They're openly admiting the truth!!!
They've finally come out and said that previous operating systems had even less security than Vista... but the stopped there.

They should have gone on and told just how insecure and vulnerable Vista is... but they won't.

Thus they're openly telling the world that pre-Vista OS'es were even more vulnerable... (* ROFLOL *)

Walt
Posted by wbenton (522 comments )
Link Flag
"It's our most secure operating system yet."
Can I get my money back?
Posted by extinctone (214 comments )
Reply Link Flag
It's funny...
How someone can fuss about an operating system that has only been out for less than a month? Of course everything is not going to be perfect on the first day. That's life. Give it time and better things will come of it. Can you compare it to XP yet? NO, because it hasn't had enough time to prove itself. If you upgraded from XP, shame on you! You should have waited until the bugs were cleared. Just read the Vista forum here on CNET and you'll see why I say that.
Posted by whizkid454 (157 comments )
Link Flag
Why?
Did they say "it is perfect, it has no bugs at all" or they said it fas safer than XP?
In the same period since Vista's release (in october IIRC) Windows XP had about five critical vulnerabilities. Vista has had one report of one potential nonccritical vulnerability. And the other alternative OSs had their share also.
So why would you expect them to return your money? They delivered on their promise, at least so far.
Posted by herby67 (144 comments )
Link Flag
LOL...
THAT IS ABOUT AS LIKELY AS BEING ABLE TO RETURN THAT PIECE OF CRAP $600 XBOX 360 BETA THAT MICROSOFT LOVES TO CHARGE FOR (ENJOY THE KERNEL ERRORS ALONG WITH THE POWER SUPPLY FAILURES)...SUCKER!
Posted by RA_REBORN (17 comments )
Link Flag
LOL!
Well, Microsoft has to try and sell their product and market it. They have to "claim" that it's more secure. The User Account Control (UAC) feature makes it somewhat more secure although it's such a nag that I have it turned off. I'm using RC1 of Vista, which expires this May for me. I am in no rush to buy Vista, XP Pro works great for me.
Posted by pentium4forever (192 comments )
Link Flag
They're openly admiting the truth!!!
They've finally come out and said that previous operating systems had even less security than Vista... but the stopped there.

They should have gone on and told just how insecure and vulnerable Vista is... but they won't.

Thus they're openly telling the world that pre-Vista OS'es were even more vulnerable... (* ROFLOL *)

Walt
Posted by wbenton (522 comments )
Link Flag
Why Do People Still Use IE?
With the exception of a few laggard websites, why even bother using IE? It will always be the least secure of the bunch-o-browsers. It's not like you have to PAY for an alternative browser.
Posted by Stating (869 comments )
Reply Link Flag
It's What Comes With the OS
In all respects, the vast majority of users out there are still the average mom, dad, grandparent, or early student who may not know alternatives exist and that they may be better than the auto-defacto already included in their OS. Still, FF has even been attacked for having weaknesses in the past and continues to be, which will probably continue as it's market share continues.

Really, IE 7 isn't a bad version of the browser, though I wonder how many unknowing people will run into the problem of XP automatically updating to it, then the browser not working due to some abnormal toolbar they didn't know they had. I had to fix atleast two computers where the IE7 upgrade was buggy, causing problems throughout the PC
Posted by clindhartsen (13 comments )
Link Flag
Why do people still use safari?
I'll say IE does have problems but at least it doesn't suck as much
as Safari. I'd like Firefox a lot more if its form widgets weren't so
damn ugly.

Oh, we all owe MS a debt of gratitude though. The tag that basically
drives all of our Web2.0 Ajax goodness was a non compliant tag
that MS inserted into IE 5.0.
Posted by rapier1 (2722 comments )
Link Flag
Why Do People Still Use IE?
With the exception of a few laggard websites, why even bother using IE? It will always be the least secure of the bunch-o-browsers. It's not like you have to PAY for an alternative browser.
Posted by Stating (869 comments )
Reply Link Flag
It's What Comes With the OS
In all respects, the vast majority of users out there are still the average mom, dad, grandparent, or early student who may not know alternatives exist and that they may be better than the auto-defacto already included in their OS. Still, FF has even been attacked for having weaknesses in the past and continues to be, which will probably continue as it's market share continues.

Really, IE 7 isn't a bad version of the browser, though I wonder how many unknowing people will run into the problem of XP automatically updating to it, then the browser not working due to some abnormal toolbar they didn't know they had. I had to fix atleast two computers where the IE7 upgrade was buggy, causing problems throughout the PC
Posted by clindhartsen (13 comments )
Link Flag
Why do people still use safari?
I'll say IE does have problems but at least it doesn't suck as much
as Safari. I'd like Firefox a lot more if its form widgets weren't so
damn ugly.

Oh, we all owe MS a debt of gratitude though. The tag that basically
drives all of our Web2.0 Ajax goodness was a non compliant tag
that MS inserted into IE 5.0.
Posted by rapier1 (2722 comments )
Link Flag
I have a quick solution
It's a novel idea, pretty sure others have thought of it....delete IE from your desktop to help prevent clicking it by accident. Install Firefox and make it your default. IE bug is fixed. (Yes I know firefox is not perfect but it's a big improvement). Then you don't have to wait for M$ to fix problems like this. Personally I think M$ make a fine OS, but they should leave products like web browsers and security to those who don't have other distractions. M$ just have too many fingers in too many pies, many of their products are half baked.
Posted by ozidigga (77 comments )
Reply Link Flag
It's Not That Bad!
In all respects, IE 7 is a perfectly good browser and actually operates on an equal level with FF in many areas. Sure, the tabbed browsing feeling is a touch off, and a few features FF has are not in IE 7 (I personally like having AdBlock in FF and "search as you type), but it largely works well and probably is going to be a nice upgrade for the other 80%+ of the market out there.
Posted by clindhartsen (13 comments )
Link Flag
Really?
Firefox doesn't have any vulnerabilities? Amazing! I thought it was a bunch of cr*p, but if it doesn't have a single vulnerability then it is a completely different thing.
Posted by herby67 (144 comments )
Link Flag
Install Firefox and make it your default. IE bug is fixed.
>>>Install Firefox and make it your default. IE bug is fixed.<<<

Not really. Every month when you apply a Microsoft Patch, they change the default browser back to IE again.

Microsoft should be forced to create a program that WOULD allow IE to be deleted entirely from their OS'es and also be forced to STOP making IE the default browser with every monthly patch they release!!!

Walt
Posted by wbenton (522 comments )
Link Flag
I have a quick solution
It's a novel idea, pretty sure others have thought of it....delete IE from your desktop to help prevent clicking it by accident. Install Firefox and make it your default. IE bug is fixed. (Yes I know firefox is not perfect but it's a big improvement). Then you don't have to wait for M$ to fix problems like this. Personally I think M$ make a fine OS, but they should leave products like web browsers and security to those who don't have other distractions. M$ just have too many fingers in too many pies, many of their products are half baked.
Posted by ozidigga (77 comments )
Reply Link Flag
It's Not That Bad!
In all respects, IE 7 is a perfectly good browser and actually operates on an equal level with FF in many areas. Sure, the tabbed browsing feeling is a touch off, and a few features FF has are not in IE 7 (I personally like having AdBlock in FF and "search as you type), but it largely works well and probably is going to be a nice upgrade for the other 80%+ of the market out there.
Posted by clindhartsen (13 comments )
Link Flag
Really?
Firefox doesn't have any vulnerabilities? Amazing! I thought it was a bunch of cr*p, but if it doesn't have a single vulnerability then it is a completely different thing.
Posted by herby67 (144 comments )
Link Flag
Install Firefox and make it your default. IE bug is fixed.
>>>Install Firefox and make it your default. IE bug is fixed.<<<

Not really. Every month when you apply a Microsoft Patch, they change the default browser back to IE again.

Microsoft should be forced to create a program that WOULD allow IE to be deleted entirely from their OS'es and also be forced to STOP making IE the default browser with every monthly patch they release!!!

Walt
Posted by wbenton (522 comments )
Link Flag
CallingID Toolbar automatically protects against these phishing holes
The new phishing methods that can bypass the security shield of Internet explorer 7 are automatically detected by CallingID Toolbar because of its basic design of five security layers and the unique approach of positive identification and verification of sites which took into consideration possible loopholes in web browsers.
Posted by ba_oren (16 comments )
Reply Link Flag
CallingID Toolbar automatically protects against these phishing holes
The new phishing methods that can bypass the security shield of Internet explorer 7 are automatically detected by CallingID Toolbar because of its basic design of five security layers and the unique approach of positive identification and verification of sites which took into consideration possible loopholes in web browsers.
Posted by ba_oren (16 comments )
Reply Link Flag
Use alternative browser
One solution is to use IE a lot less. Use an alternate browser like FF or Opera. There's some people that claim FF can't load hardly any pages right like IE. I know there's tons of pages that are built around IE's standards and such. I beg to differ. FF displays a lot more pages correctly than it used to, I'd almost say 90-95% are fine in FF. I use IE mostly for running Windows Update although there's a add-on somewhere that lets you run Windows Update in FF believe it or not.
Posted by pentium4forever (192 comments )
Reply Link Flag
Use alternative browser
One solution is to use IE a lot less. Use an alternate browser like FF or Opera. There's some people that claim FF can't load hardly any pages right like IE. I know there's tons of pages that are built around IE's standards and such. I beg to differ. FF displays a lot more pages correctly than it used to, I'd almost say 90-95% are fine in FF. I use IE mostly for running Windows Update although there's a add-on somewhere that lets you run Windows Update in FF believe it or not.
Posted by pentium4forever (192 comments )
Reply Link Flag
Internet Explorer.....to be discontinued?
Perhaps Microsoft should discontinue Internet Explorer. They seem to have to continue to work on it with fixes and such so often they probably don't get a chance to work on new projects as often as they wish.
Posted by pentium4forever (192 comments )
Reply Link Flag
They should AT LEAST...
unbundle it from the Operating System. That's just stupidity, pure and simple.

They should also discontinue support for ActiveX controls in IE. The only reason for using them is for Microsoft's idiotic Windows Update feature anyway.

And they should stick with support for the Sun Java VM. The Microsoft VM is a massive security flaw.
Posted by adsofiuasdfoi (12 comments )
Link Flag
Internet Explorer.....to be discontinued?
Perhaps Microsoft should discontinue Internet Explorer. They seem to have to continue to work on it with fixes and such so often they probably don't get a chance to work on new projects as often as they wish.
Posted by pentium4forever (192 comments )
Reply Link Flag
They should AT LEAST...
unbundle it from the Operating System. That's just stupidity, pure and simple.

They should also discontinue support for ActiveX controls in IE. The only reason for using them is for Microsoft's idiotic Windows Update feature anyway.

And they should stick with support for the Sun Java VM. The Microsoft VM is a massive security flaw.
Posted by adsofiuasdfoi (12 comments )
Link Flag
How can IE7 be any more secure..
...when it obviously has IE6 code?

Don't expect your house to stay up long when it is build on top of garbage.

If MS had even a slightest clue, they would have started over for IE7 and Vista.
Posted by qwerty75 (1164 comments )
Reply Link Flag
How can IE7 be any more secure..
...when it obviously has IE6 code?

Don't expect your house to stay up long when it is build on top of garbage.

If MS had even a slightest clue, they would have started over for IE7 and Vista.
Posted by qwerty75 (1164 comments )
Reply Link Flag
YOU CAN GET WINDOWS UPDATES WITH IE
www.windizupdate.com
Posted by ozidigga (77 comments )
Reply Link Flag
YOU CAN GET WINDOWS UPDATES WITH IE
www.windizupdate.com
Posted by ozidigga (77 comments )
Reply Link Flag
YOU CAN GET WINDOWS UPDATES WITHOUT IE
www.windizupdate.com
Posted by ozidigga (77 comments )
Reply Link Flag
YOU CAN GET WINDOWS UPDATES WITHOUT IE
www.windizupdate.com
Posted by ozidigga (77 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.