-
Russell Mickler, Principal Consultant, has over 17 years of professional experience leading and managing IT organizations.
Three IE7 Vulnerabilities Found
Written on November 1, 2006
Leave a Comment
|
It’s been revealed over the last two weeks that Microsoft’s new browser is vulnerable to an injection attack. Coincidently, this was the same flaw that was detected and patched in December 2004 for IE6. The flaw would allow a visitor on a trusted website to receive a pop-up of content from another computer who impersonates (or spoofs) the trusted website.
The injection attack is not the first problem with IE7; since it’s Oct. 17 release, two other vulnerabilities have been identified: an information disclosure weakness with IE7 and Outlook Express, and, a similar pop-up threat where a spoof could introduce a pop-up by appending a set of characters to the end of a trusted URL. The code to trigger the exploit is already public.
Microsoft doesn’t win points for retaining consumer confidence when IE7 was intentionally released ahead of Windows Vista primarily for its security benefits. If IT Managers weren’t already skeptical about Vista, IE7 being vulnerable to problems supposibly fixed two years ago raises concerns over a Q1/Q2 Vista deployment in 2007.
R
Russell Mickler works a technology consultant in Battle Ground, WA, USA. With over thirteen years of experience, Mickler holds a CISSP, MCSE, a Masters Degree in Information Technology, and is pursuing his Doctorate at Walden University. His website can be found at www.micklerandassociates.com; he can be contacted at mickler@micklerandassociates.com.