October 30, 2006 8:09 AM PST

Another IE 7 pop-up problem discovered

By Dawn Kawamoto
Staff Writer, CNET News

Last modified: October 30, 2006 2:53 PM PST

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
Email
Print

Related Stories: Spoofing bug found in IE 7
October 25, 2006; Minor issues surface after IE 7 launch
October 19, 2006; Microsoft tags IE 7 'high priority' update
July 26, 2006

update Security researchers on Monday warned of a problem in Internet Explorer 7 that could allow malicious attackers to alter content in a legitimate Web site's pop-up window.

The browser issue could affect users who visit a trusted site by opening a pop-up window in that site that contains malicious code. This is the second IE 7 problem that has been discovered since Microsoft released the browser two weeks ago. Last week, a security flaw was discovered in IE 7 that could spoof the address of a pop-up window.

The two IE 7 security holes, if used in conjunction with each other, can easily dupe all but the most security-minded users, said Thomas Kristensen, chief technology officer of security company Secunia, which discovered the problems.

Secunia has classed the latest problem a security vulnerability, while Microsoft states the situation arises from "by-design behavior" in the browsers.

"The (Secunia) report describes a by-design behavior in popular Web browsers that allows a Web site to open or re-use a pop-up window," a Microsoft reprensentative said. "In Internet Explorer 7, the Web page's actual URL is displayed in a pop-up window address bar, enabling users to accurately make a trust decision."

Microsoft said that people who follow its safe browsing guidelines and verify an HTTPS connection before entering sensitive personal information can increase their ability to guard against an exploit.

Secunia rated the most recent flaw as "moderately critical" because viewing the content does not provide attackers access to a user's computer. But it can still prove harmful if a user enters sensitive information into the malicious pop-up window, such as credit card information, usernames or passwords, Kristensen noted.

The vulnerability is also rated moderately critical because it requires user interaction and affects only particular trusted Web sites.

Secunia noted that the security flaw can affect a fully patched system running IE 7 and Microsoft Windows XP Service Pack 2.

The security company advises users to avoid browsing untrusted sites while browsing sites that they trust.

See more CNET content tagged:
Microsoft Internet Explorer 7, Microsoft Internet Explorer, attacker, security company, security

Add a Comment (Log in or register) 33 comments (Showing first 20 comments)

one flaw a week in IE7
by Hardrada October 30, 2006 9:46 AM PST: ... pretty good.; Reply to this comment View all 2 replies
Processing

Hardly IE7
by SuperGhosty October 30, 2006 10:02 AM PST: For the IE7 bashers out there this flaw is not a bug in IE7 it is associated with a Microsoft Office component.; Reply to this comment View all 3 replies
Processing

Create a separate WebSite or Blog for IE Flaws & update it once a day.
by Gurpreet Joshi October 30, 2006 10:48 AM PST: 'cause This is not a 'news' anymore, this is becoming a day to day happening.; Reply to this comment

IE7, It's still the same quagmire.
by imacpwr October 30, 2006 1:44 PM PST: IE's turning out to be the same old same o as IE6...!!!; Reply to this comment

New number, same MS <lack of> quality!
by Microsoft_Facts October 30, 2006 2:00 PM PST: Is there a single person here that didn't expect IE 7 to be different than any other Microsoft product?; Reply to this comment View reply
Processing

Let me see if I understand correctly...
by alinconstantin October 30, 2006 2:15 PM PST: ...how this bug can be used for phishing.
You have to navigate to a maliciuous site, which will have to open another window of a legal site, which will have to open a popup window requesting information from you.

Hm... I thought that IE7 has a popup blocker, which will prevent you from even seeing the controlled popup. At least for me it does.

And, even if you have the popup blocker off, how stupid you have to be to navigate say a porn or warez site, click on a link and see opening all of a sudden a window of your bank site which opens yet another window asking you for personal data, and you'd still be willing to provide the data?!

Alin; Reply to this comment View all 3 replies
Processing

Same problem affects Firefox 1.5 and 2.0
by twagnerma October 31, 2006 7:34 AM PST: Vulnerability Affects Firefox and IE, New and Old
http://www.betanews.com/article/Vulnerability_Affects_Firefox_and_IE_New_and_Old/1162235840; Reply to this comment

Let's use some common sense
by gigwerks October 31, 2006 8:40 AM PST: It doesn't really matter if you like or hate Microsoft, use Firefox or Opera, Apple, Linux, Windows etc. If you don't use common sense you will be ripped off. People have to know that if they don't see https:// they should NEVER input any personal information. They should never click INSTALL when they get an unsolicited request to "protect their PC" while surfing the web. They should never respond to an e-mail asking you to confirm your account even if it looks like it is coming from your bank.

People lose their life's savings on a daily basis to thieves that prey on those who don't use their common sense, even without Microsoft's or Apples help. This so-called flaw could be avoided by not putting your personal information into a pop-up. Sounds pretty easy huh?

It is very easy to point fingers when a little bit of common sense is all we need.; Reply to this comment View all 2 replies
Processing

Flaw or Exploit?
by Seaspray0 October 31, 2006 2:37 PM PST: the browser is only doing what the web page tells it to do... redirect to another page. It was designed to work that way as other browsers do as well. This "flaw" affects Firefox as well yet I see no mention in the article. The title would be more accurate as "Browser pop-up flaw discovered". As an attacker cannot gain control of your computer (can only fool you as to what web page you are really on), and will only work on web pages designed to do so, I question the author of this article in his manner of reporting it.; Reply to this comment View reply
Processing

What to do now
by ostmanm November 1, 2006 12:21 PM PST: I have installed IE 7....so should I download IE 6 again and replace 7??????; Reply to this comment

Mine Passed secunia's test...
by mattumanu November 1, 2006 7:11 PM PST: Are we maybe starting to find out that IE 7 is a good browser after all?; Reply to this comment

Bottom Line: Change Your Browser
by wbenton November 3, 2006 7:24 AM PST: >>>The two IE 7 security holes, if used in conjunction with each other, can easily dupe all but the most security-minded users<<<

NetScape v7.l, v7.2 and v8.0 are not vulnerabile.

Firefox v1.5 and v2.0 are not vulnerable.

But even if you don't use Outlook... IE7 is vulnerable. Except that Microsoft still gaffs it off as an Outlook bug even though it's been PROVEN to be exploitable!!!

Walt; Reply to this comment View reply
Processing

Regarding popup blockers using internet explorer version 7.0
by nhanumath November 9, 2006 10:17 PM PST: Regarding popup blockers. Presently for old application we are using internet explorer version6.0. popup blockers need to be

turned off when using Internet Exploere version6.0. there is problem when user used by internet explorer7.0. For new

application will need to be entered into the Trusted Sites section because of having two or more pop-ups (when creating

reports), which IE7 is not allowing (it allows only one pop-up).; Reply to this comment

See all 33 Comments >>

Latest tech news headlines

Creating a 'Facebook for spies'
Posted in News - Digital Media by Steven Musil

September 7, 2008 10:30 AM PDT
The main problem with Windows Vista
Posted in Defensive Computing by Michael Horowitz

September 6, 2008 7:50 PM PDT
Google-focused satellite enters orbit
Posted in News - Digital Media by Jonathan Skillings

September 6, 2008 7:33 PM PDT

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
Chrome's JavaScript challenge to Silverlight
The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.
Gallery
Photos: Top 10 reviews of the week
Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.
News - Apple
Apple watchers spot 'iPod Nano' pix, iTunes hints
The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.
Coop's Corner
Chris Shipley 1, Internet lynch mob 0
Demo's impresario goes public with a tart and smartly written riposte to the shoot-from-the-lip crowd.
Video
Katie Couric reflects on first Webcast
The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.
News - Digital Media
Creating a 'Facebook for spies'
The CIA, FBI, and National Security Agency are reportedly testing a social-networking site designed for use by analysts within the 16 U.S. intelligence agencies.
Video
YouTube plays party politics
During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.
News - Gaming and Culture
Are Demo and TechCrunch50 fragmenting their audiences?
With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.
News - Cutting Edge
Execs predict next Google-like tech
On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.
Gallery
Images: The art of 'Spore' prototypes
Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.
Crossfade
The Standard, 'A Different Skin': Free MP3 of the Day
Eschewing the danceable beats favored by many of its post-punk brethren, while opting instead for more ominous and insistent rhythms, is what makes the Standard visceral and engaging. Download a free MP3 of "A Different Skin" courtesy of CNET Download Mus
Green Tech
Duke Energy to invest in mini solar power plants
Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.