Security Blog Log: Surprise! IE 7 beta has a flaw

Security researchers in the blogosphere are buzzing about a flaw in IE 7. Should users wait before taking the browser for a spin?

--------------------------------------------------------------------------------------------------------

Security Blog Log
Microsoft Chairman Bill Gates unveiled plans for Internet Explorer 7 (IE 7) at last year's RSA Security conference, promising that the industry's dominant Web browser would have more security muscle to fight phishing, malware and spyware. Since then, IE 7 has undergone a long period of beta testing.

Tuesday, the software giant finally released a beta version to the public, meant primarily for developers and tech enthusiasts. It didn't take security pros long to start buzzing about it in the blogosphere. And it didn't take long for the flaw-finders to uncover a security hole the digital underground could exploit for malicious purposes.

"I figured I would give it a quick look and I just happened to find something within the first 15 minutes [of] testing," vulnerability researcher Tom Ferris said in his Security Protocols blog. "So you are probably thinking, why release an advisory on a beta product? Well, why not? It's Microsoft, right?"

Ferris included a link to his detailed analysis on the flaw, saying attackers could use a specially crafted HTML file to crash the browser or launch malicious code.

About Security Blog Log

Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Recent Security Blog Logs:

Is Nyxem really that dangerous?

Oracle makes Microsoft look good

 

Symantec flaw parallels Sony BMG

 

Plenty of opinions on WMF patching
That prompted some bloggers to wonder if they should wait awhile longer before taking the browser for a spin.

"Well, it didn't even take 24 hours for someone to find the first vulnerability in Internet Explorer 7 Beta 2," network professional Martin McKeay said in his Network Security blog. "And here I was, contemplating installing IE 7 to play with. Maybe I'll wait until Beta 3 or 4."

Tony Chor, a program manager on Microsoft's IE team, addressed Ferris' findings in the software giant's IE blog.

"Naturally, we take the security of IE and our users' safety very seriously, so we investigated immediately," he said. "We did confirm that the bug crashes IE. However, we did not find that the bug was exploitable by default to elevate privilege and run arbitrary code."

Chor said Microsoft had already found the glitch during the code review and analysis that is "a mandatory part of our development process. It was scheduled to be fixed before our next public release."

People have grown accustomed to criticizing Microsoft and its security practices, and many agree that the software giant has deserved it to a large extent. After all, prior versions of IE, including version 6, have proven to be full of security holes attackers have exploited successfully on many occasions. Customers have gotten used to seeing a cumulative patch for the browser every few months.

That's why open source browsers like Firefox are all the rage today, even though those browsers have flaws, too.

But in recent years, the vendor has also shown that it's taking security a lot more seriously. Proof of that can be found in such offerings as Windows XP SP2, AntiSpyware and OneCare Live. Each product has its critics and there's no doubt Microsoft has been playing catch-up on its security. Ultimately, it seems to be moving in the right direction.

Some may still get discouraged by reports of flaws in IE 7, but it's important to remember that it's still in beta and that glitches are to be expected. The public beta is meant to be picked apart by researchers like Ferris.

The more picking the professionals do now, the more secure the browser will be when it emerges from beta.

Those who want to download the beta can do so here. And while Google and others have generalized the term beta to often mean any software that may be updated or changed later, Microsoft specifically intends this beta to be for testing only. It isn't meant to be installed on a typical user's computer as a replacement browser.

Dig deeper on Software Development Methodology

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close