Security issue in IE7?

2006-02-01

We received reports this morning that a security researcher had found a bug in the IE7 Beta 2 Preview release. This issue reportedly crashes IE and is exploitable to execute arbitrary code on the user’s computer. Naturally, we take the security of IE and our users’ safety very seriously, so we investigated immediately. We did confirm that the bug crashes IE. However, we did not find that the bug was exploitable by default to elevate privilege and run arbitrary code.

This bug had already been found during our code review and analysis that is a mandatory part of our development process; it was scheduled to be fixed before our next public release. We do not believe this bug is easily exploitable, and as an extra defense, the /GS flag also catches the overrun. This is a compiler flag that tells Windows to watch for some classes of buffer overflows. If Windows sees a problem, it kills the application, in this case IE, instead of running the exploit code. While this is certainly not our primary line of protection, it does offer defense-in-depth to help keep our customers secure.

At this time, we are not aware of any active exploits taking advantage of this bug. We will continue to monitor the situation and evaluate our response.

Finally, I’d like to reiterate the importance of the responsible disclosure of security issues. We firmly believe that privately disclosing security issues to software vendors is the best way to keep the users of the world secure. To report a security issue against any Microsoft product, please contact secure@microsoft.com. For other feedback on IE7, please use the methods Jason mentioned yesterday.

- Tony Chor

Comments

Anonymous
February 01, 2006
Perhaps a patch should be distributed?
Anonymous
February 01, 2006
Perhaps indeed.
Anonymous
February 01, 2006
Perhaps a patch should be distributed? - or we can talk about FOOTBALL SOME MORE!!!! YEA! GO Steelers!
Anonymous
February 01, 2006
PingBack from http://blog.phil-taylor.com/2006/02/02/digg-submit-item/
Anonymous
February 01, 2006
IE7 locks up when I visit <a href="http://www.everypoker.com">internet poker</a>.
Anonymous
February 01, 2006
A patch for a remotely exploitable crash bug isn't worth while releasing for a beta product. Wait until the next update and if you are really concered then turn on DEP.
Anonymous
February 01, 2006
Perhaps you should stop using BETA PREVIEW software if you think you need that patch.
Anonymous
February 01, 2006
Interesting, that it did not crash my IE. I have even put that site to trusted, I turned off firewall, I turned on Windows Scripting Host and nothing has happened. I had IE v7.0.5299 instaled before, but in my PC is only urlmon.dll v7.0.5296.
http://img19.imageshack.us/img19/381/capture020220061111265cg.jpg
http://img301.imageshack.us/img301/6695/capture020220061131398bx.jpg
Anonymous
February 02, 2006
http://security-protocols.com/upcoming/sp-x23.jpg
Anonymous
February 02, 2006
PingBack from http://www.dakewl.net/2006/02/ie7beta2-disponible-copia-y-mal/
Anonymous
February 02, 2006
I have to agree with Jack. This is Beta software, someone found the bug great! fix it in final release that is the purpose of Beta. Like I seen someone complaining about not being able to un install the beta, they were upset because now they were having all kinds of problems with their computer. DO NOT INSTALL BETA ON PRODUCTION MACHINES. Sheesh, you wonder why Microsoft did not publicly release beta one and everone whines. They release beta 2 and people are trying to use it like a production browser. Beta is not intended for production use, if you do not have a spare machine to install it on then do not install it.
Anonymous
February 02, 2006
Jeff Parker, people will complain no matter what you or MSFT does. My self I am happy that MSFT released a preview of IE7. I like to see their progress and give my feedback, Keep up the good work.
Anonymous
February 02, 2006
I'm not sure that I concur with your view of "responsible disclosure of security issues". Private disclosure only serves to prevent embarrasment of the software vendor and ignores the possibility that a number of people may have discovered the vulnerability independently, some of whom may not have the good intentions that the professional security researcher may have. Early public disclosure of exploitable flaws in software allows system administrators to mitigate the impact of the fault before the vendor releases a fix. Public knowledge of a fault is no more likely to bring forth a workable implementation of the exploit than keeping it hidden and hoping that someone doesn't discover the fault with only the intention of developing and deploying an exploit without notifying anyone.

But yeah whatever, a bug in beta software is probably a different case and it is probably more polite the vendor first, after all the reason it has been released for public testing is to find bugs.

/J
Anonymous
February 02, 2006
PingBack from http://martin9sek.bitacoras.com/archivos/2006/02/02/problemas-con-internet-explorer-7
Anonymous
February 02, 2006
I love how this blog entry's title is "Security issue in IE7?", like it's something completely unexpected:

IE Team, collectively:
"What? Our browser? Faulty? What!?"

;-)
Anonymous
February 02, 2006
The comment has been removed
Anonymous
February 02, 2006

Get the heck out of that apt, and move to someplace more secure.

Where your analogy really falls down would be your "superintendent"? What would you think of him after he ignored all requests for the 6 years you've been at the apt. Would a shiny new apt building opening next year across the street by the same management keep you in your current apt?

Anonymous
February 02, 2006
Jonathan,

I must strongly disagree with your comment "Public knowledge of a fault is no more likely to bring forth a workable implementation of the exploit than keeping it hidden".

We need look no further than the recent WMF exploit in which a working exploit, and numerous variations on it, was made available because no patch was available to counter it. There was a workaround, and a few users benefited from that, but the vast majority of users weren't aware of or didn't know how to use the workaround. This left FAR more people vulnerable than disclosure saved.

While I agree that critical vulnerabilities should not be left unpatched for extended periods, a responsible disclosure would allow the vendor some time to create a patch.

In fact, this happens in so called "transparent" organizations as well, such as in the open source world. CVE's are kept private until a vendor has patches available.
Anonymous
February 02, 2006
Une fois de plus, Microsoft a encore besoin de bosser un peu, beaucoup... TROP ! Longue vie à Firefox ! La source ICI Internet Explorer 7 : une première faille trouvée en 15 minutes Quinze minutes après avoir installé Internet
Anonymous
February 02, 2006
PingBack from http://digitalfive.org/content/internet-explorer-7-preview-roundup-2.html
Anonymous
February 03, 2006
PingBack from http://ipadventures.com/?p=657
Anonymous
February 03, 2006
i think the beta 2 p is good!
Some new things to get jused to, but nice!
The only problem i had was that msn messenger din't work with it!!
Anonymous
February 03, 2006
use firefox insted.............eheh
Anonymous
February 03, 2006
use Maxthon instead...........eheh (better than both!)
Anonymous
February 04, 2006
well well there always Nagges this how less colourful the wrld wil be without Naggers adn complainer LoL ;) been ussing ie7 for over a year so far so good so keep up the good work and remember " YOU need Naggers to keep YOU on your Toes" lol about the RSS i think th more can be done to get some people to make sure thei RSS lnk work i mentioned this to some stes. and al i got " err what we are SURE it works" :-) see now i have become a NAGGER nice chatting to you all eagle
Anonymous
February 05, 2006
PingBack from http://www.mengyan.org/blog/archives/2006/02/04/109.html
Anonymous
February 07, 2006
I will be switching to Firefox due to all the trouble I went through removing IE7 Beta.

Lawk Salih
www.lawksalih.com
Anonymous
February 07, 2006
The authors of standards compliant websites thank you, Lawk.
Anonymous
February 07, 2006
I agree Eagle - Hay Naggers - it's a beta. You signed up to be... "a beta tester". Now what a concept! Since Windows give the user the freedom to customize their PC, just about every one of the .6 Billion windows PCs out there are different in setup, software installed, and hardware. The software developers can only test a few 100,000 configurations with just a few thousand in-house employees - so they ask for your help in finding bugs. You find the bug, you "report" it - notice I did not say "nag" about it. The more "reports", the higher up the "must fix" list it goes.

If all you want to do is nag about software, there there are lots of non-beta sites to do that. If you want help make a product do what it should, and choose to be a beta tester, then be a beta tester.
Anonymous
February 08, 2006
DESIDERO PROVARE LA NUOVA VERSIONE
Anonymous
February 08, 2006
no SVG support?
no XHTML support?
no thanks.

Opera and Mozilla/Firefox work fine.
Anonymous
February 08, 2006
PingBack from http://martin-english.com/whatsup/2006/02/download-ie7-beta-2/
Anonymous
February 08, 2006
PingBack from http://martin-english.com/whatsup/2006/02/download-ie7-beta-2/
Anonymous
February 14, 2006
中文試用版怎不出?是看不起華人嗎?
Anonymous
February 24, 2006
PingBack from http://nirlog.com/2006/02/03/security-issues-and-bugs-in-ie-7/
Anonymous
March 30, 2006
PingBack from http://blog.unlugarenelmundo.es/?p=78
Anonymous
April 29, 2006
PingBack from http://linkey.wordpress.com/2006/02/02/ie-7-beta-preview-2-primer-bug/
Anonymous
August 28, 2006
PingBack from http://jcrue.wordpress.com/2006/03/29/i-cannot-recommend-ie-7-beta-2-to-anyone/
Anonymous
January 22, 2009
PingBack from http://www.hilpers.it/1509516-p4-sara-il-caso-di
Anonymous
May 29, 2009
PingBack from http://paidsurveyshub.info/story.php?title=ieblog-security-issue-in-ie7

Share via

Security issue in IE7?

Comments

Additional resources