Second flaw in IE7 ... is it really a flaw?
-
This was mentioned in the daily news e-mail. The flaw is described as: The bug allows hackers to place a fake Web address in one of the browser's pop-up Windows, and could be used to trick a victim into inadvertently downloading something from what appeared to be a trusted Web site. While the full URL of the Web page being displayed is present in the pop-up Window's address bar, the left part of this URL is not initially displayed, the [Secunia] spokesman said. Source: http://www.infoworld.com/article/06/10/25/HNie7flaw2_1.html[^] I've looked at their example, and can't see how this is unique to IE or really even a problem? Basically, by having a page on my site at:
'http://www.mysite.com/blah?http://www.codeproject.com/login.asp '
...with some carefully appended white space at the end to scroll the address to the left, people may think they are on CodeProject.com. Only, in IE7 the address bar is selected by default (presumably to prevent this sort of thing) so the moment I try and do anything in the new window it will imediately flash up and tell me I am really on mysite.com/blah. It seems to me that Secunia is just trying to get in the news, even if they have to make up problems to do so?
Ðavid Wulff Die Freiheit spielt auf allen Geigen (video)
10 PRINT 'HELLO MAINTAINER: GOTO HELLI have found a far worse flaw. You can alter the RSS store without being seen. Details on my blog. The IE team could have added a checksum to avoid that, but they chose not to. I hope they get fired.
-
I have found a far worse flaw. You can alter the RSS store without being seen. Details on my blog. The IE team could have added a checksum to avoid that, but they chose not to. I hope they get fired.
Stephane Rodriguez. wrote:
I hope they get fired.
:omg::rolleyes:
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -Brian Kernighan
-
Stephane Rodriguez. wrote:
I hope they get fired.
:omg::rolleyes:
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -Brian Kernighan
Yep, it's criminal to allow an entire new class of flaws (this is just one, the RSS store is a new attack vector). To get fired is not the worse that could (and should) happen to them.
-
David Wulff wrote:
can't see how this is unique to IE
Browse the link using FireFox or opera. I have not seen what exactly their JavaScript is doing but there is no issue with FF. I hope they are not doing any browser detection.
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -Brian Kernighan
That is because FF2 doesn't show the address bar on popup windows by default. FF have elected to put the domain name in the title of the new window. Show the address bar, select it, and you see the same result. Looking at the way FF does it, it may even be easier to spoof a secure web site if you have the inclination to do so. All you would need to do is register a similar domain name and install an SSL certificate for your domain and you would get something at first glance looked legit in their popup window. Of course, it would be identical in IE, but if we are going to call such things 'bugs' we may as well be consistent... :rolleyes: Both browsers defeat the problem as soon as the site appears on their phishing lists.
Ðavid Wulff Die Freiheit spielt auf allen Geigen (video)
10 PRINT 'HELLO MAINTAINER: GOTO HELL -
Yep, it's criminal to allow an entire new class of flaws (this is just one, the RSS store is a new attack vector). To get fired is not the worse that could (and should) happen to them.
You can lead a horse to water; if he doesn't drink, shoot him. Hopefully, you won't run out of horses.
Software Zen:
delete this; -
You can lead a horse to water; if he doesn't drink, shoot him. Hopefully, you won't run out of horses.
Software Zen:
delete this;What you seem to forget (or fail to know) is that those responsible for IE7 are the old IE guys, whose team has been rebuilt. So it's a matter of getting rid of dead horses.
-
You can lead a horse to water; if he doesn't drink, shoot him. Hopefully, you won't run out of horses.
Software Zen:
delete this;You can lead a horse to water, but if you can get him to walk on it you have a whole new ball game.
Author of The Career Programmer and Unite the Tribes www.PracticalStrategyConsulting.com
-
I have found a far worse flaw. You can alter the RSS store without being seen. Details on my blog. The IE team could have added a checksum to avoid that, but they chose not to. I hope they get fired.
I hope the people who employ you don't have a similar draconian policy. :)
Author of The Career Programmer and Unite the Tribes www.PracticalStrategyConsulting.com
-
What you seem to forget (or fail to know) is that those responsible for IE7 are the old IE guys, whose team has been rebuilt. So it's a matter of getting rid of dead horses.
Mmmmm. Elmers...
Author of The Career Programmer and Unite the Tribes www.PracticalStrategyConsulting.com
-
You can lead a horse to water, but if you can get him to walk on it you have a whole new ball game.
Author of The Career Programmer and Unite the Tribes www.PracticalStrategyConsulting.com
Minnesota in January; no sweat (literally). After all, you didn't specify what state the water was in. :laugh:
Software Zen:
delete this; -
I hope the people who employ you don't have a similar draconian policy. :)
Author of The Career Programmer and Unite the Tribes www.PracticalStrategyConsulting.com
Don't worry, I am self-employed and fire myself from time to time ;) On a serious note though, when a team screws it by introducing new attack vectors, the best you can do is fire them. Or you are part of the problem. You like politics, don't you?
-
Minnesota in January; no sweat (literally). After all, you didn't specify what state the water was in. :laugh:
Software Zen:
delete this;:laugh:
Author of The Career Programmer and Unite the Tribes www.PracticalStrategyConsulting.com
-
Don't worry, I am self-employed and fire myself from time to time ;) On a serious note though, when a team screws it by introducing new attack vectors, the best you can do is fire them. Or you are part of the problem. You like politics, don't you?
I detest politics, which is why I've spent so much time and energy showing other people how to cope with them. Seems to me that if you're looking for a scapegoat it would be either the QA team who missed this or the manager who failed to allocate a sufficient budget for testing.
Author of The Career Programmer and Unite the Tribes www.PracticalStrategyConsulting.com
-
I detest politics, which is why I've spent so much time and energy showing other people how to cope with them. Seems to me that if you're looking for a scapegoat it would be either the QA team who missed this or the manager who failed to allocate a sufficient budget for testing.
Author of The Career Programmer and Unite the Tribes www.PracticalStrategyConsulting.com
Neither. Since BG announced the "trustworthy computing" initiative and the security threat models are mandatory part of every step of the dev cycle in Redmond, everyone in the team is responsible. Again, this is just bad : a data store without checksums. Even rookies don't make this mistake. IE is supposed to be used by hundred millions usersvictims.
-
I have found a far worse flaw. You can alter the RSS store without being seen. Details on my blog. The IE team could have added a checksum to avoid that, but they chose not to. I hope they get fired.
You mean this[^] link. Whoo, a program running under your credentials can modify a file in the RSS cache. Sorry, I really don't see that as a vulnerability. Also, you can only change a character. You can't arbitrarily add text as it screws up the file. I just tried overtyping a bunch of the HTML in a feed with a <script> tag which simply calls
window.alert. It didn't run.Stability. What an interesting concept. -- Chris Maunder
-
This was mentioned in the daily news e-mail. The flaw is described as: The bug allows hackers to place a fake Web address in one of the browser's pop-up Windows, and could be used to trick a victim into inadvertently downloading something from what appeared to be a trusted Web site. While the full URL of the Web page being displayed is present in the pop-up Window's address bar, the left part of this URL is not initially displayed, the [Secunia] spokesman said. Source: http://www.infoworld.com/article/06/10/25/HNie7flaw2_1.html[^] I've looked at their example, and can't see how this is unique to IE or really even a problem? Basically, by having a page on my site at:
'http://www.mysite.com/blah?http://www.codeproject.com/login.asp '
...with some carefully appended white space at the end to scroll the address to the left, people may think they are on CodeProject.com. Only, in IE7 the address bar is selected by default (presumably to prevent this sort of thing) so the moment I try and do anything in the new window it will imediately flash up and tell me I am really on mysite.com/blah. It seems to me that Secunia is just trying to get in the news, even if they have to make up problems to do so?
Ðavid Wulff Die Freiheit spielt auf allen Geigen (video)
10 PRINT 'HELLO MAINTAINER: GOTO HELLWhy You are emphasizing on the flaws on IE? I think people are de-emphasize the flaws of firefox. before 2-3 weeks ago, as per Secunia's report IE has less flaws compared to firefox. See the news posted just 2 hours ago Mozilla downplays Firefox 2.0 bugs[^]
-Sarath_._ "Great hopes make everything great possible" - Benjamin Franklin
My blog - Sharing My Thoughts, An Article - Understanding Statepattern
-
I have found a far worse flaw. You can alter the RSS store without being seen. Details on my blog. The IE team could have added a checksum to avoid that, but they chose not to. I hope they get fired.
...but please, don't use Internet Explorer.
-
I have found a far worse flaw. You can alter the RSS store without being seen. Details on my blog. The IE team could have added a checksum to avoid that, but they chose not to. I hope they get fired.
I see you are trying to get a rise out of people in order to react to your posts. Well you got my attention as far as a reaction this is it.
Ant. I'm hard, yet soft.
I'm coloured, yet clear.
I'm fruity and sweet.
I'm jelly, what am I? Muse on it further, I shall return! - David Walliams (Little Britain) -
Why You are emphasizing on the flaws on IE? I think people are de-emphasize the flaws of firefox. before 2-3 weeks ago, as per Secunia's report IE has less flaws compared to firefox. See the news posted just 2 hours ago Mozilla downplays Firefox 2.0 bugs[^]
-Sarath_._ "Great hopes make everything great possible" - Benjamin Franklin
My blog - Sharing My Thoughts, An Article - Understanding Statepattern
Sarath. wrote:
Why You are emphasizing on the flaws on IE?
I'm not - I'm emphasising the fact they are calling a carefully created presentation issue a flaw, when in fact the moment you try and do anything with it it immediately tells you it is on a spoofed site. That is even when you ignore IE7's spoof site warnings, which would get picked up within hours of it going live. The so-called flaw can't even be used in the real world because it requires script to open the window of an exact size in order to work - something that no e-mail client will allow to run. The only way to launch such a window would be from the spoof web site itself, defeating the whole thing. (Again, ignoring the built-in spoof filter.)
Ðavid Wulff Die Freiheit spielt auf allen Geigen (video)
10 PRINT 'HELLO MAINTAINER: GOTO HELL -
You mean this[^] link. Whoo, a program running under your credentials can modify a file in the RSS cache. Sorry, I really don't see that as a vulnerability. Also, you can only change a character. You can't arbitrarily add text as it screws up the file. I just tried overtyping a bunch of the HTML in a feed with a <script> tag which simply calls
window.alert. It didn't run.Stability. What an interesting concept. -- Chris Maunder
I really love his comparison between Firefox and Microsoft Word, which ends with the suggestion that Word is no longer needed because FF2 ships with an English spell checker. If you can bare to read any further into his blog, make sure you are sitting firmly in your chair or you may just fall out of it laughing. My god, it is rare to see such blatent bias - even Jeremy doesn't go quite that far when Macs get brought up in the Lounge! ;P I particularly like the half page of writing bitching about IE7's search providers, simply because he couldn't be bothered to read the one line of instructions on how to use them. :rolleyes:
Ðavid Wulff Die Freiheit spielt auf allen Geigen (video)
10 PRINT 'HELLO MAINTAINER: GOTO HELL