Security issue in IE7?


We received reports this morning that a security researcher had found a bug in the IE7 Beta 2 Preview release. This issue reportedly crashes IE and is exploitable to execute arbitrary code on the user’s computer. Naturally, we take the security of IE and our users’ safety very seriously, so we investigated immediately. We did confirm that the bug crashes IE. However, we did not find that the bug was exploitable by default to elevate privilege and run arbitrary code.

This bug had already been found during our code review and analysis that is a mandatory part of our development process; it was scheduled to be fixed before our next public release. We do not believe this bug is easily exploitable, and as an extra defense, the /GS flag also catches the overrun. This is a compiler flag that tells Windows to watch for some classes of buffer overflows. If Windows sees a problem, it kills the application, in this case IE, instead of running the exploit code. While this is certainly not our primary line of protection, it does offer defense-in-depth to help keep our customers secure.

At this time, we are not aware of any active exploits taking advantage of this bug. We will continue to monitor the situation and evaluate our response.

Finally, I’d like to reiterate the importance of the responsible disclosure of security issues. We firmly believe that privately disclosing security issues to software vendors is the best way to keep the users of the world secure. To report a security issue against any Microsoft product, please contact secure@microsoft.com. For other feedback on IE7, please use the methods Jason mentioned yesterday.

 – Tony Chor

Comments (40)

  1. Ryan says:

    Perhaps a patch should be distributed?

  2. Alexis says:

    Perhaps indeed.

  3. Football says:

    Perhaps a patch should be distributed? – or we can talk about FOOTBALL SOME MORE!!!! YEA! GO Steelers!

  4. IE7 locks up when I visit <a href="http://www.everypoker.com">internet poker</a>.

  5. Manip says:

    A patch for a remotely exploitable crash bug isn’t worth while releasing for a beta product. Wait until the next update and if you are really concered then turn on DEP.

  6. Jack says:

    Perhaps you should stop using BETA PREVIEW software if you think you need that patch.

  7. TheTOM.SK says:

    Interesting, that it did not crash my IE. I have even put that site to trusted, I turned off firewall, I turned on Windows Scripting Host and nothing has happened. I had IE v7.0.5299 instaled before, but in my PC is only urlmon.dll v7.0.5296.

    http://img19.imageshack.us/img19/381/capture020220061111265cg.jpg

    http://img301.imageshack.us/img301/6695/capture020220061131398bx.jpg

  8. Jeff Parker says:

    I have to agree with Jack. This is Beta software, someone found the bug great! fix it in final release that is the purpose of Beta. Like I seen someone complaining about not being able to un install the beta, they were upset because now they were having all kinds of problems with their computer. DO NOT INSTALL BETA ON PRODUCTION MACHINES. Sheesh, you wonder why Microsoft did not publicly release beta one and everone whines. They release beta 2 and people are trying to use it like a production browser. Beta is not intended for production use, if you do not have a spare machine to install it on then do not install it.

  9. JoeM says:

    Jeff Parker, people will complain no matter what you or MSFT does. My self I am happy that MSFT released a preview of IE7. I like to see their progress and give my feedback, Keep up the good work.

  10. Jonathan Stowe says:

    I’m not sure that I concur with your view of "responsible disclosure of security issues". Private disclosure only serves to prevent embarrasment of the software vendor and ignores the possibility that a number of people may have discovered the vulnerability independently, some of whom may not have the good intentions that the professional security researcher may have. Early public disclosure of exploitable flaws in software allows system administrators to mitigate the impact of the fault before the vendor releases a fix. Public knowledge of a fault is no more likely to bring forth a workable implementation of the exploit than keeping it hidden and hoping that someone doesn’t discover the fault with only the intention of developing and deploying an exploit without notifying anyone.

    But yeah whatever, a bug in beta software is probably a different case and it is probably more polite the vendor first, after all the reason it has been released for public testing is to find bugs.

    /J

  11. Mark says:

    I love how this blog entry’s title is "Security issue in IE7?", like it’s something completely unexpected:

    IE Team, collectively:

    "What? Our browser? Faulty? What!?"

    ;-)

  12. Brett Jiu says:

    Let’s say you live in a large apartment building. One day you discover that the backdoor to the building, which should be deadbolted, is in fact not and there’s not even a regular lock to keep it secure. Would you immediately 1) run a newspaper ad or write a blog warning everyone in the world about this, or 2) contact the superintendent and give him/her a chance to fix the security hole? I think most responsible people will go #2, and so should a security expert who discovers important security vulnerabilities.

  13. I Hate It says:

    3) Get the heck out of that apt, and move to someplace more secure.

    Where your analogy really falls down would be your "superintendent"? What would you think of him after he ignored all requests for the 6 years you’ve been at the apt. Would a shiny new apt building opening next year across the street by the same management keep you in your current apt?

  14. mystere says:

    Jonathan,

    I must strongly disagree with your comment "Public knowledge of a fault is no more likely to bring forth a workable implementation of the exploit than keeping it hidden".

    We need look no further than the recent WMF exploit in which a working exploit, and numerous variations on it, was made available because no patch was available to counter it. There was a workaround, and a few users benefited from that, but the vast majority of users weren’t aware of or didn’t know how to use the workaround. This left FAR more people vulnerable than disclosure saved.

    While I agree that critical vulnerabilities should not be left unpatched for extended periods, a responsible disclosure would allow the vendor some time to create a patch.

    In fact, this happens in so called "transparent" organizations as well, such as in the open source world. CVE’s are kept private until a vendor has patches available.

  15. Une fois de plus, Microsoft a encore besoin de bosser un peu, beaucoup… TROP ! Longue vie &#224; Firefox ! La source ICI Internet Explorer 7 : une premi&#232;re faille trouv&#233;e en 15 minutes Quinze minutes apr&#232;s avoir install&#233; Internet

  16. Sindre Solheim says:

    i think the beta 2 p is good!

    Some new things to get jused to, but nice!

    The only problem i had was that msn messenger din’t work with it!!

  17. donna says:

    use firefox insted………….eheh

  18. tracy says:

    use Maxthon instead………..eheh (better than both!)

  19. Eagle Averro says:

    well well there always Nagges this how less colourful  the wrld wil be without Naggers adn complainer LoL ;)  been ussing ie7 for over a year so far so good so keep up the good work and  remember " YOU need Naggers to keep YOU on your Toes" lol about the RSS i think th more can be  done to get some people to make sure thei RSS lnk work  i mentioned this to some stes. and al i got  " err what we are SURE it works" :-) see now  i have become a NAGGER nice chatting to you all       eagle

  20. Lawk Salih says:

    I will be switching to Firefox due to all the trouble I went through removing IE7 Beta.

    Lawk Salih

    http://www.lawksalih.com

  21. The authors of standards compliant websites thank you, Lawk.

  22. bill_bright says:

    I agree Eagle – Hay Naggers – it’s a beta. You signed up to be… "a beta tester". Now what a concept! Since Windows give the user the freedom to customize their PC, just about every one of the .6 Billion windows PCs out there are different in setup, software installed, and hardware. The software developers can only test a few 100,000 configurations with just a few thousand in-house employees – so they ask for your help in finding bugs. You find the bug, you "report" it – notice I did not say "nag" about it. The more "reports", the higher up the "must fix" list it goes.

    If all you want to do is nag about software, there there are lots of non-beta sites to do that. If you want help make a product do what it should, and choose to be a beta tester, then be a beta tester.

  23. FEOLA says:

    DESIDERO PROVARE LA NUOVA VERSIONE

  24. no SVG support?

    no XHTML support?

    no thanks.

    Opera and Mozilla/Firefox work fine.

  25. scu2006 says:

    中文試用版怎不出?是看不起華人嗎?