Skip to main content

IE Beta7 Denial Of Service Flaw

Months after the beta release of IE 7 in the internet community , several flaws had been discovered. Microsoft ,on the onther hand, continues to take all these into consideration before the actual release of the product. Recently a new bug has been discovered , allowing maliciously written html files to crash the IE7 browser. This has been featured in an article in www.eweek.com
. Microsoft answered the allegation , stating that the flaw is not crucial to the system. Here is the report taken from eweek.

An independent security researcher has pinpointed a denial-of-service flaw in Microsoft's brand new Internet Explorer 7 Beta 2 Preview just moments after installing the security-centric browser makeover.


Tom Ferris said could hardly believe his eyes when the new browser crashed less than 15 minutes after he started using a homemade fuzz testing tool to poke around for potential security issues.

Ferris, known online as "badpack3t," found that specially crafted HTML could cause IE7 to crash because "urlmon.dll" does not properly parse the "file://" protocol.

"I've confirmed a denial-of-service at this point, but I'm sure someone malicious could research this some more to control memory at some point to cause code execution," Ferris said in an interview with eWEEK.
Here is the answer of Microsoft taken from eWeek.

On the Internet Explorer blog, Microsoft program manager Tony Chor confirmed the bug causes a browser crash but said initial investigations did not find that it was exploitable by default to elevate privilege and run arbitrary code.

"This bug had already been found during our code review and analysis that is a mandatory part of our development process. It was scheduled to be fixed before our next public release. We do not believe this bug is easily exploitable," Chor said.

The Redmond, Wash. software maker typically downplays a denial-of-service browser bug that fixes itself when the browser is restarted, but Ferris said it's dangerous to assume the risk cannot be escalated with additional research.

"We've seen in the past where [malicious hackers] took a denial-of-service issue and created a zero day," he said, citing a case in November 2005 when a U.K.-based group called "Computer Terrorism released a nasty exploit for a bug that was reported simply as a browser crash issue.

Even though the IE7 browser is still in beta, which allows time to fix bugs before the final release, Ferris said something as serious as a potential code execution hole should have been found by Microsoft's software engineers.

"This is Beta 2. The next step is full release," he added. A final release of Internet Explorer 7 for Windows XP is expected sometime during the second half of 2006.


To have a view of the actual code that could crash the IE7 browser and the actual events as the browser crashed visit the Security Protocol Site.

The battle for browser supremacy has been the hottest since the release of Firefox. Microsoft continues to improve its IE Browser as other companies tries to cope up. This will only mean good news to browser freaks like us.

Comments

Popular posts from this blog

Getting Started with Stateless : A Lightweight Workflow Library Alternative for .NET

Image Credit: https://www.pioneerrx.com A year ago, I was looking for a simple workflow manager for a project I was working. Its a medium sized application that involves tracking the state of assets in the system. Back in 2008, Microsoft (MS) introduced new technologies along with the release of Visual Studio 2008: Windows Presentation Foundation (WPF), Windows Communication Foundation (WCF), and  Windows Workflow Foundation (WF). Having worked in a company utilizing mostly MS products for development, my first option was to go with WF. After doing some time reading and studying the library, I paused and decided it was too complex for my requirement. Using WF would be an overkill and the fact that it has, a rather, steep learning curve, there has to be another option. My mind toyed with the idea of developing a simple workflow library myself. It would be a learning experience but it might end up consuming a lot of time. Why reinvent the wheel? So I started querying the inte

Hiding Unwanted Python Folders and Files in Visual Studio Code

Visual Studio Code is a universal editor and pretty good at it. However, the explorer view maybe cluttered with the automatically generated folders and files confusing developers. Python is no different. Below are example files and folders generated by Python. The __pycache__ folder and *.pyc files  are totally unnecessary to the developer. To hide these files from the explorer view, we need to edit the settings.json for VSCode. Add the folder and the files as shown below: Copy and paste the lines below : "**/*.pyc" : { "when" : "$(basename).py" }, "**/__pycache__" : true

My First Blog for 2009

Im starting 2009 with a blog on foods. Since my 4 months voluntary exile in the US (hahaha), I started cooking ( full time! ) so Google is my cookbook and I am the chef ( sort of ). Yesterday , I was looking forward for another experiment on the kitchen lab (it gets messy sometimes) . What I have ? Pork belly , Chinese Okra , Squash . I was having doubts on whether the Chinese Okra is the same thing as the vegetable I know from the province , "kabatiti" . So after searching for "kabatiti" on the net , Google returned some informative links on some Ilocano Foods which made my day . Listed below are some Ilocano food worth mentioning . Abrao or Inabrao - assorted seasonal vegetables, typically malunggay, and that quintessentially Ilocano vegetable, saluyot, boiled in a bagoong and fish broth Ipon—tiny fish in season during the cold months Poki-Poki (also poqui-poqui), an innocent omelet made of eggplant sautéed with garlic, onions, tomatoes, and eggs Kabat