Thursday, October 19, 2006

IE7 exploit in under 24 hours

That didn't take long. Someone was probably saving it and begins to confirm my earlier comments, 5 Tips to NOT Get Hacked Online, about Internet Explorer being an attractive target. The PoC IE 6 and 7 hack as described by RSnake says visiting a malicious web page could read data from any other website your browser can see. Hello web bank, hello web mail, hello intranet. The severity appears underrated since its really easy to exploit and the exposure here is fairly high.

Supposedly this vulnerability was known in IE6 months ago and somehow made it into IE7. Odd. Personally, I think IE7 vulnerabilities are of limited overall risk while the user-base remains small. Several months from now it’ll be a different story when migration is in full swing. As security researchers and hardcore fraudsters become familiar with the product internals the risk profile will change. The problem is while IE7 is probably far more secure than its predecessor, less bugs = good, this does not necessarily mean less risky for users.

3 comments:

Anonymous said...

Actually, it looks like this was found back in april.. and never patched.. and forgotten..

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2111
http://www.osvdb.org/25073

i guess that giant is only pretending to be asleep

Anonymous said...

and lol, it looks like i posted to the wrong blog >.> .. now i see why people choose to sleep daily rather than every other ^^

i wouldn't be surprised though if phishing sites have been using it for the past 6 months

and now i nap ..

Jeremiah Grossman said...

hehe. I don't mind. :) Have a good sleep. ZZZZzzzzz