Second flaw in IE7 ... is it really a flaw?
-
You mean this[^] link. Whoo, a program running under your credentials can modify a file in the RSS cache. Sorry, I really don't see that as a vulnerability. Also, you can only change a character. You can't arbitrarily add text as it screws up the file. I just tried overtyping a bunch of the HTML in a feed with a <script> tag which simply calls
window.alert. It didn't run.Stability. What an interesting concept. -- Chris Maunder
I really love his comparison between Firefox and Microsoft Word, which ends with the suggestion that Word is no longer needed because FF2 ships with an English spell checker. If you can bare to read any further into his blog, make sure you are sitting firmly in your chair or you may just fall out of it laughing. My god, it is rare to see such blatent bias - even Jeremy doesn't go quite that far when Macs get brought up in the Lounge! ;P I particularly like the half page of writing bitching about IE7's search providers, simply because he couldn't be bothered to read the one line of instructions on how to use them. :rolleyes:
Ðavid Wulff Die Freiheit spielt auf allen Geigen (video)
10 PRINT 'HELLO MAINTAINER: GOTO HELL -
...but please, don't use Internet Explorer.
I voted you a 1.0 on this message and the one where you mention criminals, because the content of those messages is utter drivel. And that is being polite to your other responses on this thread. Still, if it helps you to feel important, I promise not to waste time voting on future messages.
Ðavid Wulff Die Freiheit spielt auf allen Geigen (video)
10 PRINT 'HELLO MAINTAINER: GOTO HELL -
You mean this[^] link. Whoo, a program running under your credentials can modify a file in the RSS cache. Sorry, I really don't see that as a vulnerability. Also, you can only change a character. You can't arbitrarily add text as it screws up the file. I just tried overtyping a bunch of the HTML in a feed with a <script> tag which simply calls
window.alert. It didn't run.Stability. What an interesting concept. -- Chris Maunder
My god, I just hex-edited IE7's exe * and replaced it with the code of a virus, and now when I run it I've got a virus. Fire the lot of them, I say * Actually, I didn't
-- Help me! I'm turning into a grapefruit! Buzzwords!
-
I have found a far worse flaw. You can alter the RSS store without being seen. Details on my blog. The IE team could have added a checksum to avoid that, but they chose not to. I hope they get fired.
Stephane Rodriguez. wrote:
I hope they get fired.
:sigh:
"When I get a little money, I buy books and if any is left, I buy food and clothes." --Erasmus
-
I have found a far worse flaw. You can alter the RSS store without being seen. Details on my blog. The IE team could have added a checksum to avoid that, but they chose not to. I hope they get fired.
This is just like the Outlook bug where I can delete email I don't want to keep anymore. Come to think of it I can edit my Word files without any errors. And probably my Excel files and my PowerPoint presentations... The whole Office team should be fired. OMG I just tried changing my desktop background in Vista, and it let me... better fire the Vista team as well. Under even further research I discovered that I can change my code files without Visual Studio stopping me, and I encountered this bug on XP, 2003 Server AND Vista. I am begginning to believe the only way to keep my precious files safe from myself is to erase my harddrives... Everyone that has ever used a computer should be fired from their job! Seriously though altering the RSS Store is not a bug, its called editing files on your own computer. Furthermore the data store is documented in the Feeds API and is stored as such to allow for easy consumption by programs other than IE 7.
Matt Newman
Even the very best tools in the hands of an idiot will produce something of little or no value. - Chris Meech on Idiots -
This was mentioned in the daily news e-mail. The flaw is described as: The bug allows hackers to place a fake Web address in one of the browser's pop-up Windows, and could be used to trick a victim into inadvertently downloading something from what appeared to be a trusted Web site. While the full URL of the Web page being displayed is present in the pop-up Window's address bar, the left part of this URL is not initially displayed, the [Secunia] spokesman said. Source: http://www.infoworld.com/article/06/10/25/HNie7flaw2_1.html[^] I've looked at their example, and can't see how this is unique to IE or really even a problem? Basically, by having a page on my site at:
'http://www.mysite.com/blah?http://www.codeproject.com/login.asp '
...with some carefully appended white space at the end to scroll the address to the left, people may think they are on CodeProject.com. Only, in IE7 the address bar is selected by default (presumably to prevent this sort of thing) so the moment I try and do anything in the new window it will imediately flash up and tell me I am really on mysite.com/blah. It seems to me that Secunia is just trying to get in the news, even if they have to make up problems to do so?
Ðavid Wulff Die Freiheit spielt auf allen Geigen (video)
10 PRINT 'HELLO MAINTAINER: GOTO HELLOn the one hand, i don't think it's a big deal. On the other hand, Microsoft probably did, seeing as how one of the obvious changes between IE6 and IE7 was to force an address bar into popups, for the single stated reason of making it harder to spoof legit windows. If it's too easy to spoof a URL, then that effectively negates the whole reason for it to exist - so yeah, it's a flaw. Even if i used IE7, this wouldn't be the sort of thing that'd have me worried at all, but i can at least see why it'd be reported as a flaw.
every night, i kneel at the foot of my bed and thank the Great Overseeing Politicians for protecting my freedoms by reducing their number, as if they were deer in a state park. -- Chris Losinger, Online Poker Players?
-
You mean this[^] link. Whoo, a program running under your credentials can modify a file in the RSS cache. Sorry, I really don't see that as a vulnerability. Also, you can only change a character. You can't arbitrarily add text as it screws up the file. I just tried overtyping a bunch of the HTML in a feed with a <script> tag which simply calls
window.alert. It didn't run.Stability. What an interesting concept. -- Chris Maunder
You don't see the vulnerability? Don't worry, keep using Internet Explorer... An example of nefarious purpose is to rewrite urls. Don't see what it can be used for?
-
I really love his comparison between Firefox and Microsoft Word, which ends with the suggestion that Word is no longer needed because FF2 ships with an English spell checker. If you can bare to read any further into his blog, make sure you are sitting firmly in your chair or you may just fall out of it laughing. My god, it is rare to see such blatent bias - even Jeremy doesn't go quite that far when Macs get brought up in the Lounge! ;P I particularly like the half page of writing bitching about IE7's search providers, simply because he couldn't be bothered to read the one line of instructions on how to use them. :rolleyes:
Ðavid Wulff Die Freiheit spielt auf allen Geigen (video)
10 PRINT 'HELLO MAINTAINER: GOTO HELLYou are such a smart person. May be once in your life you'll be able to wear a real user hat. What I have been posting about IE7 and the search thing is 1) real 2) exactly what every user will face. Deal with it.
-
I really love his comparison between Firefox and Microsoft Word, which ends with the suggestion that Word is no longer needed because FF2 ships with an English spell checker. If you can bare to read any further into his blog, make sure you are sitting firmly in your chair or you may just fall out of it laughing. My god, it is rare to see such blatent bias - even Jeremy doesn't go quite that far when Macs get brought up in the Lounge! ;P I particularly like the half page of writing bitching about IE7's search providers, simply because he couldn't be bothered to read the one line of instructions on how to use them. :rolleyes:
Ðavid Wulff Die Freiheit spielt auf allen Geigen (video)
10 PRINT 'HELLO MAINTAINER: GOTO HELLAlso it's great to see people like you shelling out ton of money to buy your copy of Word. Do you also buy Frontpage?
-
My god, I just hex-edited IE7's exe * and replaced it with the code of a virus, and now when I run it I've got a virus. Fire the lot of them, I say * Actually, I didn't
-- Help me! I'm turning into a grapefruit! Buzzwords!
Try to find something smarter. Touching a .exe is not the same than touching data that ends up in every one's face through the rendering engine. Don't see the flaw? the IE team sanitizes the feed before it gets stored, and then they do nothing before it's rendered on the screen using a web browser that is capable of very nefarious things. Get it now?
-
I voted you a 1.0 on this message and the one where you mention criminals, because the content of those messages is utter drivel. And that is being polite to your other responses on this thread. Still, if it helps you to feel important, I promise not to waste time voting on future messages.
Ðavid Wulff Die Freiheit spielt auf allen Geigen (video)
10 PRINT 'HELLO MAINTAINER: GOTO HELLDrivel? Do you even know what the RSS store is before you make judgement?
-
You are such a smart person. May be once in your life you'll be able to wear a real user hat. What I have been posting about IE7 and the search thing is 1) real 2) exactly what every user will face. Deal with it.
I've been [un]fortunate enough to upgrade about a dozen computer illeterate users to IE7 this week and I have not noticed any of them having problems setting up Google as their default search provider. It really is as simple as one-two-three. If you've found it otherwise, I suspect you were either looking to find problems regardless or you were looking to do it the FF way. Neither scenario will apply to IE7s target users.
Ðavid Wulff Die Freiheit spielt auf allen Geigen (video)
10 PRINT 'HELLO MAINTAINER: GOTO HELL -
Also it's great to see people like you shelling out ton of money to buy your copy of Word. Do you also buy Frontpage?
Yes, I have Frontpage 2003. I use it to manage my SharePoint portals due to its tight integration with all the supporting technologies.
Ðavid Wulff Die Freiheit spielt auf allen Geigen (video)
10 PRINT 'HELLO MAINTAINER: GOTO HELL -
Drivel? Do you even know what the RSS store is before you make judgement?
Check your reading comprehension add-in for Firefox, I don't think it was updated after the 2.0 release. Then you can try reading my message again.
Ðavid Wulff Die Freiheit spielt auf allen Geigen (video)
10 PRINT 'HELLO MAINTAINER: GOTO HELL -
On the one hand, i don't think it's a big deal. On the other hand, Microsoft probably did, seeing as how one of the obvious changes between IE6 and IE7 was to force an address bar into popups, for the single stated reason of making it harder to spoof legit windows. If it's too easy to spoof a URL, then that effectively negates the whole reason for it to exist - so yeah, it's a flaw. Even if i used IE7, this wouldn't be the sort of thing that'd have me worried at all, but i can at least see why it'd be reported as a flaw.
every night, i kneel at the foot of my bed and thank the Great Overseeing Politicians for protecting my freedoms by reducing their number, as if they were deer in a state park. -- Chris Losinger, Online Poker Players?
The reason I question it being described as a flaw is that the moment you click on the new window the address will clearly change to that of the spoofed site, effectively making the window useless.
Ðavid Wulff Die Freiheit spielt auf allen Geigen (video)
10 PRINT 'HELLO MAINTAINER: GOTO HELL -
Check your reading comprehension add-in for Firefox, I don't think it was updated after the 2.0 release. Then you can try reading my message again.
Ðavid Wulff Die Freiheit spielt auf allen Geigen (video)
10 PRINT 'HELLO MAINTAINER: GOTO HELLTypical clueless defense. Keep voting 1.0s if that makes you feel good, 8-year old boy.
-
Typical clueless defense. Keep voting 1.0s if that makes you feel good, 8-year old boy.
For you Stephane, I will always find time to vote. Seriously though, learn to read in English. I am frightened you really don't understand my response.
Ðavid Wulff Die Freiheit spielt auf allen Geigen (video)
10 PRINT 'HELLO MAINTAINER: GOTO HELL