Microsoft Addresses IE7 Address Vulnerability

Microsoft has addressed reports of a vulnerability in Internet Explorer 7 that could possibly lead people to believe a website is safe, when it could actually be a malicious website looking to exploit browsers. The security site Secunia posted a vulnerability in IE7 address bar, here yesterday.

A weakness has been discovered in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks.

The problem is that it’s possible to display a popup with a somewhat spoofed address bar where a number of special characters have been appended to the URL. This makes it possible to only display a part of the address bar, which may trick users into performing certain unintended actions. Source: Secunia

They have posted a test page to let you know if you are vulnerable or not, here. Microsoft’s response is posted here, but they pretty much say all they can, you can actually see the whole address if you click on the popup and scroll left or right, and they recommend turning on the Microsoft Phishing Filter, to help block phishing sites who might try to exploit this vulnerability.

Now, our general guidance as far as things you can do to help protect yourself against phishing attacks can help protect here. Specifically that you should never enter personal information into a website unless you’ve verified the server?s name by using SSL. We talk about this on our website here.

The other thing I wanted to mention is that in IE 7, the Microsoft Phishing Filter can help protect should any phishing sites attempt to exploit this issue in a couple of ways.

First, the Phishing Filter’s browser-based heuristics can help to protect you. These heuristics analyze Web pages in real time and then can warn you about suspicious characteristics if it finds any on the page. If someone attempts to use this issue in a phishing site, the Phishing Filter’s heuristics may detect that site as such and warn you.

Another way the Phishing Filter can help protect you is through our online service. If a site that attempts to exploit this issue is reported to us and confirmed to be a phishing site, we will add it to the Microsoft Phishing Filter?s online service and it will be flagged as a phishing site when viewed in IE7. Source: Microsoft Security Response Center Blog

The phishing filter should definitely help, although it did appear to slow my machine down when I first looked at it, so I may turn it back on and let it run some more to see if it actually gets any faster.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - October 26, 2006 at 1:31 pm

Categories: IE7, Security   Tags: , ,

First IE7 Flaw is Actually Outlook Express Flaw

Color me confused. I currently look like a hog staring at a wristwatch.

I posted earlier about the first IE7 vulnerability, found by Secunia, well, apparently, its actually a flaw in Outlook Express, from the Microsoft Security Response Center Blog,

These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express.

Umm, wonder why a security company would post a flaw about one program when it was really a different program?

Be the first to comment - What do you think?  Posted by Jimmy Daniels - October 20, 2006 at 1:47 am

Categories: IE7   Tags:

First IE7 Vulnerability Discovered

Not even out 24 hours yet and a new vulnerability is discovered in IE7, it was discovered by Secunia and released today. It involves the handling of redirections for URLs with the “mhtml:” URI handler.

A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerability is caused due to an error in the handling of redirections for URLs with the “mhtml:” URI handler. This can be exploited to access documents served from another web site.

Secunia has constructed a test, which is available at:

Secunia has confirmed the vulnerability on a fully patched system with Internet Explorer 7.0 and Microsoft Windows XP SP2. Other versions may also be affected.

The solution they have listed is to disable active scripting support, and since there is now patch yet, if you use the test link they created above and find yourself vulnerable, you may want to consider disabling it until a patch is released.

Added: Saw this post on that says it allows anyone with control over a webserver to control anything you do with any page you can connect to.

This is some of the worst ownage I?ve seen in a long time. Secunia announced a really nasty cross domain leak for Internet Explorer. This allows anyone with control over a webserver to control anything you do with any page you can connect to. It?s interesting that Secunia marked it as a ?less critical? threat, as this pretty much gives any attacker read access to any domain anywhere as long as you are using Internet Explorer 6.0 or 7.0.

The only saving grace here is that it does require access to a server where you can write HTTP headers (or somewhere that you can do header injection/redirection) as you need to force the browser to go to a certain URL which then redirects to another URL.

So, they make it sound like it could be more critical than less critical, hehe. They say it will allow “complete ownage” of the internet for users of Internet Explorer. And three more weeks until the next patch Tuesday. Could be a long month.

2 comments - What do you think?  Posted by Jimmy Daniels - October 19, 2006 at 1:24 pm

Categories: IE7, Security   Tags:

IE7 Has Trouble with Google Websites

Was just reading some of the coverage on the release of Internet Explorer 7 and noticed a post by Robert Scoble in which he said the Google Reader website loads very slow for him, Firefox vs. IE 7 (IE7 having trouble with Google sites?). I to have noticed that almost everything by Google loads very slowly for me, takes a lot longer to display the page, my personal Google homepage takes awhile longer to load as well. Google sitemaps loads okay, no problems there.

But IE7 does have some challenges ahead of it. Some sites in it render very slow. Most notably for me, Google Reader. I?m also using the new Firefox 2 and Firefox is a LOT faster. IE7 is frustratingly slow on Google Reader. It seems to hang whenever new stuff is being downloaded in the background via AJAX. To be fair, Google is probably pushing the browser in all sorts of ways, even the MSN team decided to back off on its use of AJAX due to speed problems, though ( used to have an infinite scroll capability, which I really loved but they got rid of it after speed complaints came in).

UPDATE: I just went to Google Maps with both browsers too. Same results. Firefox 2 is a LOT faster on AJAX (dragging the map around feels a lot better on Firefox 2).

Any other Google sites anyone is having trouble with?

All of the main Google pages linked to from the Google search engine, Google Video, Google Images, Google News and the search engine itself all load as well as they used to, with Google Maps being the only one to load slower.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - at 11:46 am

Categories: Google, IE7   Tags:

Internet Explorer 7 for Windows XP Released Today

Microsoft today released Internet Explorer 7 for Windows XP and partner sites are going to release branded versions with their own search engines, such as Yahoo,, and

We listened carefully to feedback from many sources (including this blog) and worked hard to deliver a safer browser that makes everyday tasks easier. When I first posted publicly about IE7, I wrote that we would go further to defend users from phishing and malicious software. The Phishing Filter and the architectural work in IE7 around networking and ActiveX opt-in will help keep users more secure. IE7 also delivers a much easier browsing experience with features like tabbed browsing (especially with QuickTabs), shrink-to-fit printing, an easily customizable search box, and a new design that leaves more screen real estate for the web site you?re viewing. IE7?s CSS improvements are incredibly important for developers as many of you have made quite clear. I also think IE7?s RSS experience and platform are important, powerful, and innovative.

In addition to our release of IE7, Yahoo! has a customized version of the browser available today and over the next few days partners such as and USA TODAY will offer their own customized versions. These versions will tailor the user experience with specific toolbars, additional search engines, favorites, and RSS feeds. Source: IEBlog

Downloading it now!

When we release IE7 it will be released via Windows Update as a Critical Update. This means that lots of computers will be getting IE7 installed on them in a reletively short time span. If you manage a web site you need to make sure you are ready for this change in the market.

Lots of sites have made IE specific changes to work around some of the idiosyncrasies of IE6. You will need to make sure these changes will still work with IE7. Source: Darryl Burling @ Work

How do you get ready for IE7? Here is a quote from another page on the IEBlog,

Download, install and test your products with IE7 RC 1 ?This is the fastest and best way to test for compatibility issues.

Download the IE7 Readiness Toolkit – This toolkit pulls together a number of important resources to help you prepare for IE7:

Developer and IT Pro readiness check lists,
Detailed documentation on important changes in IE7,
Testing and debugging guidance,
Tools for testing, debugging and investigating issues,
And more?

Download and use the Application Compatibility Toolkit ? Helps test browser-based applications to ensure they work with IE7.

Visit the Microsoft Internet Explorer Developer Center ? You will find an array of important information for developers.

Use the Information Index for Internet Explorer7 ? Think of this as a table of contents linking you to documentation, blog posts, whitepapers and other information on IE7.

Read the IE Team Blog ? Use the search feature on the right to find previous posts on almost any topic you can think of with regard to IE7.

If you aren’t ready for IE7 I detailed some steps you can take to block it from loading on your computers or a network of computers int this post, Keep IE7 From Loading Until You Are Ready.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - October 18, 2006 at 10:13 pm

Categories: IE7   Tags:

My Quick Internet Explorer 7 Review

Just got around to installing IE7 today, been using it for a few hours now, and I must say I like it a lot better than version 6. They got rid of the big buttons and made the top part smaller, so you actually get more of the webpage showing, they also added a search box after the address bar, it defaults to msn, but you can add more search engines or change the default search engine.

I like the tabbed browsing so far, initially when I first used it in Firefox, I didn’t like it, but it was just because I was used to alt tabbing between windows, etc, but, I’m old and set in my ways. This is a lot better than the grouping that was introduced in earlier versions; I turned that off in about 2 seconds.

It has the ability to find RSS feeds on the page you are on, although it doesn’t always work, when you click on one you can add it to your saved feeds with one click, but what would be nice is if the feed button in the browser did the same thing, but I guess it would have to detect the feeds first. All it really amounts to, as far as I can tell, is a bookmark to a feed, and it displays it in html format, and not the xml code. I will probably keep using the feeds I setup on my Google homepage, which I can tell by a quick glance if there are new posts or not, with IE7 you have to mouse over it to see if there are new posts before you click on them.

It asks when you install if you want to run the Phishing filter, I told it yes, but didn’t let it run very long, it really slowed down some sites, it may speed up on later visits to the same sites, but I visit new sites all the time, and I don’t click on unsolicited emails, so I think I’ll be all right without it.

The zoom feature is pretty cool, but not sure if I like the new favorites button, maybe if I rearrange my favorites somehow, but it uses less room, and when you have a lot of bookmarks, it seems hard to navigate. You can always add the menu bar back, so you can use the normal links at the top, but I’ll see if I can get used to the new way.

Security remains to be seen, I guess we’ll find out soon enough if it is more secure or not. Once I get used to where everything is at, I think I will really like it, it’s just new, so there’s some getting used to. Microsoft will be pushing it out to everyone the first of November, but it you want to get it now, visit the download page and get the latest version, I think you’ll like it.

As I find new stuff and figure out the differences, I will just tack it on at the end of this post.

1 comment - What do you think?  Posted by Jimmy Daniels - October 14, 2006 at 4:33 am

Categories: IE7, Reviews   Tags:

Keep IE7 From Loading Until You Are Ready

Microsoft has had a utility available to help organizations block the automatic update to IE7 for a few months now. It just creates a registry key and turns off the ability to update automatically and blocks receiving the update through the express option on Windows Update. You can get the Toolkit to Disable Automatic Delivery of Internet Explorer 7 here . It also includes a group policy administrative template to help you do this accross your domain.

The folks at Intelliadmin have created a nice utility to help everyone else do it using their mouse! With their IE 7 blocking tool, you can do any computer you have an account on.

1 comment - What do you think?  Posted by Jimmy Daniels - October 11, 2006 at 1:07 am

Categories: IE7, Security, Windows Update   Tags:

Last Chat with the IE7 Team Before Release

One last expert zone chat before IE7 ships, from the IEBlog,

We wanted to give you guys one last chat session before we ship IE. So if you can, you should join us for the chat this Thursday, October 12th at 10.00AM PDT (5.00GMT) otherwise you can catch all the action in the transcript.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - October 10, 2006 at 12:07 am

Categories: IE7   Tags:

IE7 Update Could Adversely Affect Many Websites

In July, Microsoft announced that it will update Windows XP SP2 users automatically using Windows auto updates, in the past Microsoft has phased them in slowly, this one will be done practically overnight. Now, I’ve heard mostly good things about IE7, I still have not tried it myself, I know, I know, what kind of geek am I, I will probably wait until it upgrades everyone and see what happens. But, when that happens, online merchants will see the biggest part of their userbase changing browsers, and they will be answering the phones a LOT more than they do now, until users get used to using IE7.

“I applaud what Microsoft’s done with IE 7, and the browser works very well,” said Richard Litofsky of Rockville, Md.-based cyScape. “But even the best software needs time to work out things once it’s in the wild.”

The automatic updating of most browsers — Internet Explorer controls 83 percent of the world’s browser market according to the most recent data from Net Applications — will stress Web sites’ help desks like nothing before, Litofsky claimed.

“Virtually overnight all these sites are going to be running a whole new platform.” Source: Techweb

If you have trouble when you are updated to IE7, you can use this tool, User Agent String Utility version 2, to make the website think your browser is IE6, as you could have rendering problems if the website does not know what browser you are using.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - September 30, 2006 at 1:17 am

Categories: IE7, Windows XP   Tags: , , ,

IE7 Immune to VML Exploit

In testing on a couple different blogs, IE7 has proven to be immune to the vml exploit currently making the rounds. Ed Bott says Vista passes one security test,

Now, it’s important to note that the developers of IE7 clearly had no idea that this vulnerability existed in IE6. But their development process managed to block this particular exploit right out of the box, and the additional layers of security provided important clues that this page was potentially dangerous.

Sandi Hardmeier at Spyware Sucks says Important – IE VML Vulnerability – IE7 is immune and as a matter of fact says it has been immune to almost all the other vulnerabilities that have come out since its realease.

And the IE team says, “…With the exception of a very short list of issues we’re aware of and working on, we think the product is done…. Depending on your feedback, we may post another release candidate. We?re still on track to ship the final IE7 release in the 4th calendar quarter.”

Sounds like this may be as good of a time as any to read the release notes and upgrade to IE7, but be warned, there are still some software issues with other programs.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - September 26, 2006 at 2:08 am

Categories: IE7, Internet Explorer, Security, Virus Info   Tags: , ,

« Previous Page