This bug had already been found during our code review and analysis that is a mandatory part of our development process; it was scheduled to be fixed before our next public release. We do not believe this bug is easily exploitable, and as an extra defense, the /GS flag also catches the overrun. This is a compiler flag that tells Windows to watch for some classes of buffer overflows. If Windows sees a problem, it kills the application, in this case IE, instead of running the exploit code. While this is certainly not our primary line of protection, it does offer defense-in-depth to help keep our customers secure.
At this time, we are not aware of any active exploits taking advantage of this bug. We will continue to monitor the situation and evaluate our response.
Finally, I’d like to reiterate the importance of the responsible disclosure of security issues. We firmly believe that privately disclosing security issues to software vendors is the best way to keep the users of the world secure.
Source: IEBlog
Microsoft gets flooded with IE7 bug reports
Bug reports and security warnings have started poring in mere hours after Microsoft made a public beta 2 of its forthcoming internet explorer browser available. Security researcher Tom Ferris exposed a vulnerability in the browser that causes the the application to crash or execute arbitrary code when a user visits a specially crafted website. Other users reported issues with McAfee anti-virus software. Users are unable to launch the McAfee Security Center. A Microsoft employee on the IEBlog responded that it is caused by stricter URL-scheme handling in the browser and that they are working to repair it.
The browser also has problems working together with several anti-spyware applications, according to numerous reports on a Microsoft mailinglist. The anti-spyware software can prevent a file called 'msfeeds.dll' from being registered. A Microsoft employee on the list provided a workaround, but it requires relatively advanced computing skills.
Source: MSFN
Dieser Beitrag wurde von Sydney bearbeitet: 02. Februar 2006 - 09:24