Secunia claims second IE7 flaw
Microsoft confirms there is an 'issue'
IDG News Service - Just one week after claiming that users of Microsoft Corp.'s Internet Explorer 7 browser could be at risk to an online attack, Danish security vendor Secunia ApS is reporting a new bug in the browser.
The bug allows hackers to place a fake Web address in one of the browser's pop-up Windows to trick a victim into inadvertently downloading something from what appears to be a trusted Web site. Secunia has described the flaw in an advisory.
Based on its initial investigation, Microsoft believes that there is "an issue," a spokesman at the company's public relations agency said in an e-mail.
While the full URL of the Web page being displayed is present in the pop-up Window's address bar, the left part of the URL is not initially displayed, the spokesman said.
That problem could allow an attacker to spoof a legitimate Web site, Secunia said.
Microsoft's confirmation may come as a relief to Secunia, which reported another problem in IE7 just hours after the browser was released. Microsoft said Secunia's report was "technically inaccurate," however, because the flaw lay in a component of Microsoft's Outlook Express e-mail client, which could be triggered by the browser. Microsoft's comment on the issue can be found here.
Neither of the bugs is considered to be critical. But coming so soon after IE7's launch, they are somewhat of an embarrassment to Microsoft, which has made much of its focus on delivering secure software.
Secunia was surprised that Microsoft called its first report erroneous, given that the flaw can be triggered only through the browser, said Thomas Kristensen, Secunia's chief technology officer.
"From a technical point of view, Microsoft might be right. But from a user's point of view or an administrator's point of view, it doesn't really matter. IE is the vector," he said. "It was probably unnecessary to go out and try to blame Outlook in that way."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- The Critical Role of Support in Your Enterprise Mobility Management Strategy Most business leaders underestimate the importance of tech support when they choose an EMM solution. Here's what to put on your checklist.
- Separating Work and Personal at the Platform Level: How BlackBerry Balance Works BlackBerry® Balance™ separates work from personal on the same mobile device, right at a platform level. Find out how it can work for...
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the...
- Containerization Options: How to Choose the Best DLP Solution for Your Organization This webcast outlines a framework for making the right choice when it comes to containerization approaches, along with the pros and cons of... All Networking White Papers | Webcasts