News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


IT Blogwatch's picture
IT Blogwatch

A Daily Digest of IT Blogs from Richi Jennings

More posts | Read bio

October 31, 2006 - 6:03 A.M.

IE7: bad, Firefox 2.0: good? (and ultimate Coke+Mentos)

5 comments

Woah there, it's IT Blogwatch, in which another IE7 vulnerability rears its ugly head, prompting the inevitable comparisons with Firefox 2.0. Not to mention more amazing experiments with Diet Coke and Mentos...

Jeremy Kirk has deja vu. All over again:

A security problem originally found in Microsoft Corp.'s Internet Explorer 6 browser has returned to haunt IE7, the new version of the browser launched two weeks ago, a security consultant said Monday. Danish security consultancy Secunia AsP posted an advisory regarding an issue where an attacker could potentially snare logins and passwords from an unsuspecting IE7 user. Over two years ago, security researchers reported the same fault in IE6.

If a user visits a Web site specially crafted by an attacker, and then opens a "trusted" site such as a bank or e-commerce site that has a pop-up window, the attacker can put new content into the pop-up ... This could enable the attacker to ask a user for financial information or passwords.
...
Secunia rated the problem as "moderately critical" ... An alert user might notice that they're under attack ... However, an attacker could also use this problem in combination with a pop-up spoofing weakness identified last week. Microsoft hasn't patched that problem.

Philipe Rubio guesses:

The problem is that it is possible for a malicious website to inject new content into a popup window, which has been opened by a trusted site. This will trick many users and cause the user to believe that the content is served from the trusted site. In IE7 this is mitigated by the address bar always being visible. However, if this is combined with the IE7 "Popup Address Bar Spoofing Weakness" issue from last week, the attack would be very convincing.

This is the third vulnerability to be discovered in Internet Explorer 7 within 2 weeks of its release, and this is probably not the last vulnerability to be discovered. My guess is that we'll see even more vulnerabilities emerging within the next two weeks.

Pasta2000 giggles:

TheSecurity Score: IE7 - 3; FF2 - 0 ... Yup, Internet Explorer 7 has jumped out to a big lead over Firefox 2. Internet Explorer 7 has managed to rack up its third security hole since being released two weeks ago. Firefox 2 has yet to be dinged with a security hole ... To rub a little salt in the wound. With IE7's third security hole being rated as Moderately Critical, that makes IE7 more dangerous to use than the old Firefox 1.5.x. They may have the same number of unpatched security holes, but one of IE7's security holes is rated worse. How much uglier can this get?

But the SpikeSource guys counsel caution:

FireFox launched their latest version 2.0 last week with much fanfare.  Microsoft did the same with their 7.0 release.  There was a bit of a scuffle to see which browser had the first security report lodged against them, and it looks like Microsoft is the first one.  There was an aborted report on FireFox earlier, but it hasn't be acknowledged yet.
However, don't be fooled into thinking FireFox is winning.  Slashdot has an interesting thread titled, 9 reasons not to upgrade to FireFox 2.0 , citing many of the same reasons that has bogged down the previous version of FireFox, namely memory.  Too much effort has gone into new bells'n'whistles and not enough on the real bugbears that cripple this potentially great piece of software.

But MSMVP Sandi Hardmeier stamps on the brakes:

Let's be realistic here ... Imagine, if you will, that you go to a fake Bank Web site - assuming the page isn't blocked by the phishing filter in the first place - then it has to convince you to click on a link that leads to a legitimate Web site... then the owners of the hostile site have to hope that your computer doesn't goes nuts from the hundreds of popups per minute that are being generated. The constant clicking from the blizzard of 2 to 3 pop-ups per second is a dead giveaway that something is wrong to anybody using IE7 with its default settings.
...
So, if the user has not turned off the addressbar for popups, or does not see that the address is wrong, if the user does not close the hostile Web site, if the user has turned off the IE sound cue that a pop-up has been blocked or the system does not have a sound card or speakers, if the user has turned off the info-bar, or the user has disabled the pop-up blocker, then the chances of success go up marginally - but the site still has to get around the phishing filter. And it has to get around the problem of convincing users to trust a site if hundreds of pop-ups within a couple of minutes is not normal behaviour for the site being spoofed.

David Berlind reads between the lines:

My point isn't that either browser has vulnerabilities or that one is less insecure than the other. My point is how the conversation regarding these and other insecurities that you just know certain people are racing to find will very likely overshadow the conversation about why these browsers represent advancements over their predecessors. Instead of upgrading to them for their features, the first question will be, but are they secure? Answer: No software except for "Hello World" is 100 percent secure. Ever. Now, the conversation appears not to be about why I should upgrade to one of these. It's about why I shouldn't.

Bink.nu denizens discuss:

  • xMorpheousx416: Caused Secunia to divert USA Today's website on my machines - went directly to an advertisement page,....and caused a popup "block" loop in Firefox 2.0.  The popup bar in FF just kept blocking the repeated attempts for the test site from opening a popup.
  • robhardman: I'm not so sure of Secunia's statement, as the "phishing" pop up window clearly displays secunia.com in the address bar, not usatoday.com. It *is* clearly an issue that needs fixing but the attack scope is limited, surely?
  • JasonCox: Geez, how many bugs is this company sitting on?

Buffer overflow:

Around the Net

Around Computerworld

And finally... More amazing experiments with Diet Coke and Mentos

Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richij.com.

What People Are Saying

Add new comment

Mark Smith - Why are you

Submitted by Anonymous on November 9, 2006 - 2:13 P.M.

Mark Smith - Why are you using IE7 for FTP when you can have the FireFTP extension for Firefox 2. I use IE7 for nothing - I do not need it nor do I want it's built-in-insecurity. Why make do with second best?

Reply | Report this comment

Microsoft software allways

Submitted by thedark on November 3, 2006 - 10:51 A.M.

Microsoft software allways will have a lot of bugs on it. With security updates they don't make anytging else than fixing the existent holes, and make others.

Reply | Report this comment

Overall I have found Firefox

Submitted by Mark J Smith on November 1, 2006 - 9:39 A.M.

Overall I have found Firefox to be a significant improvement over IE. I have fewer crashes, less hacks, less spyware, less of all the bad things. And it loads pages noticeably faster than IE. Comparing FF to IE, I have found far more positives with Firefox. There is only one condition where I have to revert to IE and that is to access a particular FTP site. I have looked at most of the criticisms of Firefox and they look like they were written by someone from MS.

Reply | Report this comment

I agree! It does load pages

Submitted by Anonymous on November 4, 2006 - 7:44 P.M.

I agree! It does load pages faster and has less crashes then IE and less spyware also
I love firefox!
from kevin

Reply | Report this comment

Yes, but you have to admit

Submitted by Anonymous on October 31, 2006 - 12:03 P.M.

Yes, but you have to admit that Sandi has a point here. The phishing safe guard is a solid protection feature.

I've found IE7 to much better than FireFox 2.0 as it displays things better, faster, and had nice features.

Why upgrade? It's better than it's previous version and displays websites better than FireFox for my taste -- paints images better for instance.

Reply | Report this comment

Related Posts

Report: Firefox is the world's most vulnerable browser
MSNBC Spam-O-Rama
Linux to Windows and back again with Samba
Is Microsoft getting ready to kill Windows?

Today's Top Stories

Droid launch draws tech-savvy crowd
AMD graphics chip shortage hits PC vendors
Mozilla fixes Firefox crash bug
Update fixes iPhone sync problem with Windows 7 for some
First take: Apple's new MacBook offers sleek style, solid performance
Elpida inks DRAM tech, outsourcing deal with Taiwan's ProMOS
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.