Welcome to MSDN Blogs Sign in | Join | Help

Security issue in IE7?

We received reports this morning that a security researcher had found a bug in the IE7 Beta 2 Preview release. This issue reportedly crashes IE and is exploitable to execute arbitrary code on the user’s computer. Naturally, we take the security of IE and our users’ safety very seriously, so we investigated immediately. We did confirm that the bug crashes IE. However, we did not find that the bug was exploitable by default to elevate privilege and run arbitrary code.

This bug had already been found during our code review and analysis that is a mandatory part of our development process; it was scheduled to be fixed before our next public release. We do not believe this bug is easily exploitable, and as an extra defense, the /GS flag also catches the overrun. This is a compiler flag that tells Windows to watch for some classes of buffer overflows. If Windows sees a problem, it kills the application, in this case IE, instead of running the exploit code. While this is certainly not our primary line of protection, it does offer defense-in-depth to help keep our customers secure.

At this time, we are not aware of any active exploits taking advantage of this bug. We will continue to monitor the situation and evaluate our response.

Finally, I’d like to reiterate the importance of the responsible disclosure of security issues. We firmly believe that privately disclosing security issues to software vendors is the best way to keep the users of the world secure. To report a security issue against any Microsoft product, please contact secure@microsoft.com. For other feedback on IE7, please use the methods Jason mentioned yesterday.

 - Tony Chor

Published Wednesday, February 01, 2006 5:10 PM by ieblog

Comments

# re: Security issue in IE7?

Wednesday, February 01, 2006 8:18 PM by Ryan
Perhaps a patch should be distributed?

# re: Security issue in IE7?

Wednesday, February 01, 2006 8:23 PM by Alexis
Perhaps indeed.

# re: Security issue in IE7?

Wednesday, February 01, 2006 8:57 PM by Football
Perhaps a patch should be distributed? - or we can talk about FOOTBALL SOME MORE!!!! YEA! GO Steelers!

# Phil Taylor's Joomla Components Blog

Wednesday, February 01, 2006 8:57 PM by Phil Taylor's Joomla Components Blog
PingBack from http://blog.phil-taylor.com/2006/02/02/digg-submit-item/

# re: Security issue in IE7?

Thursday, February 02, 2006 2:53 AM by Joseph Sandalay
IE7 locks up when I visit <a href="http://www.everypoker.com">internet poker</a>.

# re: Security issue in IE7?

Thursday, February 02, 2006 4:12 AM by Manip
A patch for a remotely exploitable crash bug isn't worth while releasing for a beta product. Wait until the next update and if you are really concered then turn on DEP.

# re: Security issue in IE7?

Thursday, February 02, 2006 4:30 AM by Jack
Perhaps you should stop using BETA PREVIEW software if you think you need that patch.

# re: Security issue in IE7?

Thursday, February 02, 2006 5:49 AM by TheTOM.SK
Interesting, that it did not crash my IE. I have even put that site to trusted, I turned off firewall, I turned on Windows Scripting Host and nothing has happened. I had IE v7.0.5299 instaled before, but in my PC is only urlmon.dll v7.0.5296.
http://img19.imageshack.us/img19/381/capture020220061111265cg.jpg
http://img301.imageshack.us/img301/6695/capture020220061131398bx.jpg

# re: Security issue in IE7?

Thursday, February 02, 2006 8:08 AM by Bla
http://security-protocols.com/upcoming/sp-x23.jpg

# Dakewl Blog &raquo; Blog Archive &raquo; IE7, Beta2 disponible: copia y mal

Thursday, February 02, 2006 8:22 AM by Dakewl Blog » Blog Archive » IE7, Beta2 disponible: copia y mal
PingBack from http://www.dakewl.net/2006/02/ie7beta2-disponible-copia-y-mal/

# re: Security issue in IE7?

Thursday, February 02, 2006 8:57 AM by Jeff Parker
I have to agree with Jack. This is Beta software, someone found the bug great! fix it in final release that is the purpose of Beta. Like I seen someone complaining about not being able to un install the beta, they were upset because now they were having all kinds of problems with their computer. DO NOT INSTALL BETA ON PRODUCTION MACHINES. Sheesh, you wonder why Microsoft did not publicly release beta one and everone whines. They release beta 2 and people are trying to use it like a production browser. Beta is not intended for production use, if you do not have a spare machine to install it on then do not install it.

# re: Security issue in IE7?

Thursday, February 02, 2006 9:28 AM by JoeM
Jeff Parker, people will complain no matter what you or MSFT does. My self I am happy that MSFT released a preview of IE7. I like to see their progress and give my feedback, Keep up the good work.

# re: Security issue in IE7?

Thursday, February 02, 2006 9:56 AM by Jonathan Stowe
I'm not sure that I concur with your view of "responsible disclosure of security issues". Private disclosure only serves to prevent embarrasment of the software vendor and ignores the possibility that a number of people may have discovered the vulnerability independently, some of whom may not have the good intentions that the professional security researcher may have. Early public disclosure of exploitable flaws in software allows system administrators to mitigate the impact of the fault before the vendor releases a fix. Public knowledge of a fault is no more likely to bring forth a workable implementation of the exploit than keeping it hidden and hoping that someone doesn't discover the fault with only the intention of developing and deploying an exploit without notifying anyone.

But yeah whatever, a bug in beta software is probably a different case and it is probably more polite the vendor first, after all the reason it has been released for public testing is to find bugs.

/J\

# Martin's Blog

Thursday, February 02, 2006 10:40 AM by Martin's Blog
PingBack from http://martin9sek.bitacoras.com/archivos/2006/02/02/problemas-con-internet-explorer-7

# re: Security issue in IE7?

Thursday, February 02, 2006 11:23 AM by Mark
I love how this blog entry's title is "Security issue in IE7?", like it's something completely unexpected:

IE Team, collectively:
"What? Our browser? Faulty? What!?"

;-)

# IE 7 beta 2 preview first bug already found!

Thursday, February 02, 2006 1:05 PM by Daniel Wissa's .NET Journey

# re: Security issue in IE7?

Thursday, February 02, 2006 1:41 PM by Brett Jiu
Let's say you live in a large apartment building. One day you discover that the backdoor to the building, which should be deadbolted, is in fact not and there's not even a regular lock to keep it secure. Would you immediately 1) run a newspaper ad or write a blog warning everyone in the world about this, or 2) contact the superintendent and give him/her a chance to fix the security hole? I think most responsible people will go #2, and so should a security expert who discovers important security vulnerabilities.

# re: Security issue in IE7?

Thursday, February 02, 2006 2:25 PM by I Hate It
3) Get the heck out of that apt, and move to someplace more secure.

Where your analogy really falls down would be your "superintendent"? What would you think of him after he ignored all requests for the 6 years you've been at the apt. Would a shiny new apt building opening next year across the street by the same management keep you in your current apt?

# re: Security issue in IE7?

Thursday, February 02, 2006 2:45 PM by mystere
Jonathan,

I must strongly disagree with your comment "Public knowledge of a fault is no more likely to bring forth a workable implementation of the exploit than keeping it hidden".

We need look no further than the recent WMF exploit in which a working exploit, and numerous variations on it, was made available because no patch was available to counter it. There was a workaround, and a few users benefited from that, but the vast majority of users weren't aware of or didn't know how to use the workaround. This left FAR more people vulnerable than disclosure saved.

While I agree that critical vulnerabilities should not be left unpatched for extended periods, a responsible disclosure would allow the vendor some time to create a patch.

In fact, this happens in so called "transparent" organizations as well, such as in the open source world. CVE's are kept private until a vendor has patches available.

# Internet Explorer 7 ! La blague...

Thursday, February 02, 2006 7:15 PM by Arnaud Thiery... The Blog !
Une fois de plus, Microsoft a encore besoin de bosser un peu, beaucoup... TROP ! Longue vie &#224; Firefox ! La source ICI Internet Explorer 7 : une premi&#232;re faille trouv&#233;e en 15 minutes Quinze minutes apr&#232;s avoir install&#233; Internet

# digitalfive.org &raquo; Blog Archive &raquo; Internet Explorer 7 Preview Roundup

Friday, February 03, 2006 5:57 AM by digitalfive.org » Blog Archive » Internet Explorer 7 Preview Roundup
PingBack from http://digitalfive.org/content/internet-explorer-7-preview-roundup-2.html

# Digital Common Sense &raquo; Denial???of???service flaw flagged in IE7 Beta 2

Friday, February 03, 2006 11:42 AM by Digital Common Sense » Denial???of???service flaw flagged in IE7 Beta 2
PingBack from http://ipadventures.com/?p=657

# re: Security issue in IE7?

Friday, February 03, 2006 12:02 PM by Sindre Solheim
i think the beta 2 p is good!
Some new things to get jused to, but nice!
The only problem i had was that msn messenger din't work with it!!

# re: Security issue in IE7?

Friday, February 03, 2006 6:57 PM by donna
use firefox insted.............eheh

# re: Security issue in IE7?

Saturday, February 04, 2006 5:48 AM by tracy
use Maxthon instead...........eheh (better than both!)

# re: Security issue in IE7?

Sunday, February 05, 2006 4:24 AM by Eagle Averro
well well there always Nagges this how less colourful  the wrld wil be without Naggers adn complainer LoL ;)  been ussing ie7 for over a year so far so good so keep up the good work and  remember " YOU need Naggers to keep YOU on your Toes" lol about the RSS i think th more can be  done to get some people to make sure thei RSS lnk work  i mentioned this to some stes. and al i got  " err what we are SURE it works" :-) see now  i have become a NAGGER nice chatting to you all       eagle

# Meng Yan ( ?????? ) @ Weblog &raquo; Blog Archive &raquo; IE7 Beta2 Preview

Sunday, February 05, 2006 10:27 PM by Meng Yan ( ?????? ) @ Weblog » Blog Archive » IE7 Beta2 Preview
PingBack from http://www.mengyan.org/blog/archives/2006/02/04/109.html

# re: Security issue in IE7?

Tuesday, February 07, 2006 9:50 AM by Lawk Salih
I will be switching to Firefox due to all the trouble I went through removing IE7 Beta.

Lawk Salih
www.lawksalih.com

# Switching

Tuesday, February 07, 2006 12:32 PM by Srđan Prodanović
The authors of standards compliant websites thank you, Lawk.

# re: Security issue in IE7?

Tuesday, February 07, 2006 6:30 PM by bill_bright
I agree Eagle - Hay Naggers - it's a beta. You signed up to be... "a beta tester". Now what a concept! Since Windows give the user the freedom to customize their PC, just about every one of the .6 Billion windows PCs out there are different in setup, software installed, and hardware. The software developers can only test a few 100,000 configurations with just a few thousand in-house employees - so they ask for your help in finding bugs. You find the bug, you "report" it - notice I did not say "nag" about it. The more "reports", the higher up the "must fix" list it goes.

If all you want to do is nag about software, there there are lots of non-beta sites to do that. If you want help make a product do what it should, and choose to be a beta tester, then be a beta tester.

# re: Security issue in IE7?

Wednesday, February 08, 2006 12:57 PM by FEOLA
DESIDERO PROVARE LA NUOVA VERSIONE

# re: Security issue in IE7?

Thursday, February 09, 2006 12:09 AM by Former Customer
no SVG support?
no XHTML support?
no thanks.

Opera and Mozilla/Firefox work fine.

# Download IE7 beta 2 &#8212; My Stuff Archive

Thursday, February 09, 2006 3:05 AM by Download IE7 beta 2 — My Stuff Archive
PingBack from http://martin-english.com/whatsup/2006/02/download-ie7-beta-2/

# Download IE7 beta 2 &#8212; My Stuff Archive

Thursday, February 09, 2006 3:05 AM by Download IE7 beta 2 — My Stuff Archive
PingBack from http://martin-english.com/whatsup/2006/02/download-ie7-beta-2/

# re: Security issue in IE7?

Wednesday, February 15, 2006 3:26 AM by scu2006
中文試用版怎不出?是看不起華人嗎?

# Security issues and Bugs in IE 7: Nirlog.com

Saturday, February 25, 2006 12:18 AM by Security issues and Bugs in IE 7: Nirlog.com
PingBack from http://nirlog.com/2006/02/03/security-issues-and-bugs-in-ie-7/

# Un lugar en el mundo&#8230; &raquo; Blog Archive &raquo; Hay algo que no es como me dicen

Thursday, March 30, 2006 9:05 AM by Un lugar en el mundo… » Blog Archive » Hay algo que no es como me dicen
PingBack from http://blog.unlugarenelmundo.es/?p=78

# .:Linkey&#8217;s Blog:. &raquo; Blog Archive &raquo; .:IE 7 Beta Preview 2: Primer Bug:.

Saturday, April 29, 2006 12:53 PM by .:Linkey’s Blog:. » Blog Archive » .:IE 7 Beta Preview 2: Primer Bug:.
PingBack from http://linkey.wordpress.com/2006/02/02/ie-7-beta-preview-2-primer-bug/

# I cannot recommend IE 7 Beta 2 to anyone. &laquo; DPGI v.2

Monday, August 28, 2006 4:18 PM by I cannot recommend IE 7 Beta 2 to anyone. « DPGI v.2
PingBack from http://jcrue.wordpress.com/2006/03/29/i-cannot-recommend-ie-7-beta-2-to-anyone/
New Comments to this post are disabled
 
Page view tracker