[Sydney]

We received reports this morning that a security researcher had found a bug in the IE7 Beta 2 Preview release. This issue reportedly crashes IE and is exploitable to execute arbitrary code on the user’s computer. Naturally, we take the security of IE and our users’ safety very seriously, so we investigated immediately. We did confirm that the bug crashes IE. However, we did not find that the bug was exploitable by default to elevate privilege and run arbitrary code.

This bug had already been found during our code review and analysis that is a mandatory part of our development process; it was scheduled to be fixed before our next public release. We do not believe this bug is easily exploitable, and as an extra defense, the /GS flag also catches the overrun. This is a compiler flag that tells Windows to watch for some classes of buffer overflows. If Windows sees a problem, it kills the application, in this case IE, instead of running the exploit code. While this is certainly not our primary line of protection, it does offer defense-in-depth to help keep our customers secure.

At this time, we are not aware of any active exploits taking advantage of this bug. We will continue to monitor the situation and evaluate our response.

Finally, I’d like to reiterate the importance of the responsible disclosure of security issues. We firmly believe that privately disclosing security issues to software vendors is the best way to keep the users of the world secure.

Source: IEBlog

Microsoft gets flooded with IE7 bug reports
Bug reports and security warnings have started poring in mere hours after Microsoft made a public beta 2 of its forthcoming internet explorer browser available. Security researcher Tom Ferris exposed a vulnerability in the browser that causes the the application to crash or execute arbitrary code when a user visits a specially crafted website. Other users reported issues with McAfee anti-virus software. Users are unable to launch the McAfee Security Center. A Microsoft employee on the IEBlog responded that it is caused by stricter URL-scheme handling in the browser and that they are working to repair it.

The browser also has problems working together with several anti-spyware applications, according to numerous reports on a Microsoft mailinglist. The anti-spyware software can prevent a file called 'msfeeds.dll' from being registered. A Microsoft employee on the list provided a workaround, but it requires relatively advanced computing skills.

Source: MSFN

Dieser Beitrag wurde von Sydney bearbeitet: 02. Februar 2006 - 09:24

[Rika]

http://www.security-protocols.com/advisory...23-advisory.txt

Zitat

we take the security of IE and our users’ safety very seriously

Dieser Beitrag wurde von Rika bearbeitet: 02. Februar 2006 - 12:38

[flo]

Wie oft denn noch das Posten von Reinen Englischen Texten ist hier nicht erwünscht.

[nim]

das problem wurde von uns bereits gestern in der news zum thema ie7 sicherheit erwähnt.