IE 7, Vista Bug Reports Have MS Digging
Microsoft is investigating two recently disclosed security vulnerabilities that affect Internet Explorer 7 and Windows Vista, the company said Monday. The vulnerabilities aren’t considered high-risk, yet they affect the latest releases of Microsoft’s Web browser and operating system software.
Microsoft has promoted the security of both IE 7 and Windows Vista. The flaws could let attackers get their hands on sensitive user information, security experts have warned. The French Security Incident Response Team said in an alert that the IE vulnerability, which also affects IE 6, could be exploited in phishing attacks, scams that try to trick people into giving up sensitive information such as credit card data and Social Security numbers.
The problem exists because of an error in the way the browser handles certain “onunload” events, the security monitoring company said. Attackers could exploit the issue to spoof the browser address bar, FrSirt said. The Windows issue is due to a problem with a component that does not properly validate user permissions. This could be exploited by an attacker with access to the machine to get information on protected files, according to a second FrSirt alert.
The problem affects Windows Vista, XP, 2000 and Windows Server 2003, FrSirt said. Microsoft is looking into both vulnerabilities, which were made public last week. Neither of the flaws has been used in any attacks and exploiting the issues is hard, a company representative said.
Tags: attackers, browser_address_bar, credit_card_data, incident_response_team, Internet, security_incident_response, security_vulnerabilities, Software, Windows, windows vista
Privacy Digest | News that can impact your privacy. on 29 Jun 2007 at 5:48 pm #
isn’t a good way to establish the security of an OS. As an analysis of Microsoft’s claims on Full Disclosure shows, we see that the methodology used was badly flawed. A bug in Firefox (not to mention emacs), counts as a flaw for Linux, whileIE bugsget ignored on Vista’s chart. Then we see that vulnerabilities aren’t vulnerabilities when they’re security-challenged features such as Vista’s Teredo. Also, there’s far too little consideration given to severity, given that it stoops to counting even
Kaizenlog on 02 Jul 2007 at 7:34 am #
short, the original Microsoft analysis was good PR and poor research.” Discuss this story at: http://it.slashdot.org/comments.pl?sid=07/06/28/235259 Links: 0. http://seclists.org/fulldisclosure/2007/Jun/0528.html 1.http://www.pctipsbox.com/ie-7-vista-bug-reports-have-ms-digging/2. http://www.securiteam.com/securityreviews/6C00O2KHFK.html +—————————–—————————————+ | Supercomputer On-a-Chip Prototype Unveiled             |
Slashdot | Vista Security Claims Debunked on 14 Jul 2007 at 9:44 am #
[...] IE bugs [...]
Win Vista on 23 Jan 2008 at 3:49 pm #
“Microsoft is investigating two recently disclosed security vulnerabilities that affect Internet Explorer 7 and Windows Vista… The flaws could let attackers get their hands on sensitive user information…”http://www.pctipsbox.com/ie-7-vista-bug-reports-have-ms-digging/Like Vista itself, IE 7 is hounding users with nagging messages. Says Microsoft Watch: “Overnight, I posted about Internet Explorer 7, for which I have seen a large number of unhappy Microsoft Watch comments… Security is part of the problem, whether
Doubts over Vista security claims » Computer internet security on 20 Apr 2008 at 7:14 pm #
[...] used was badly flawed. A bug in Firefox (not to mention emacs), counts as a flaw for Linux, while IE bugs get ignored on Vista’s chart. Then we see that vulnerabilities aren’t vulnerabilities [...]