that's just playing the blame game... MS should own up and fix the problem its been around since 2003 it doesn't matter if its Outlook or IE... (sure they obviously don't want the bug associated with the new & improved IE7) but really they should just fix it and move on instead of all this crap

Well, so far, IE7 and Outlook Express has an update coming but when? Yahoogroups.com has a members page that "Freezes/blends" IE7 into OE.

Well, so far, IE7 has an update coming as well as Outlook Express but when?

Ooh, yeah. This is a well-known hole since 2003. And there are millions and trillions of PCs out there destroyed by this exploit.
Tell me one, please...
Hot air for cool axx-brains.
Funny, When I read comments about Beta programs, there are maybe 2 or 3.
But the whole bunch settle down on a MS news. Yeah, even me.
Keep your host file clean, safe and have fun.
This is less important than if in China they steal a bike.

I've got half-a-dozen machines around me that have currently been disabled, if not destroyed by vunerabilities. I have no idea which vunerabilities are responsible, as that's practically impossible to determine. But I do know these machines are now critically 'bugged' and it's taking some serious time and money to remove the malware satisfactorily.

And this is a daily occurance, just in my small corner of the world. Exploits are a serious problem for your average user who doesn't know what they're doing. If a vendor can make their software more secure and more foolproof, they should be at least trying to do that.

Ed Bott dubunks this Secunia horse hockey by providing some facts to the discussion and adding this question:

"What should the criteria be for evaluating whether a product is secure? If your standard is that even a single patch means the product has failed, then you might as well unplug your computer and get busy sharpening your quill pen. No modern operating system or moderately complex connected application can pass that test."

Firefox sure can't, nor can Opera, etc. I got lingering CSS gripes with IE7, but not this nitpicking silliness.

ie7 still can't hold a candle to firefox but it is an improvement over ie6. Heck everything you can find is better in regards to functionality, features, security etc. The browser would of ended up like netscape if it wasn't tied to windows. That is exactly why microsoft did it. Now in regards to this exploit. If you could uninstall the browser, outlook express and the media player from the operating system it would not be as big of an issue for windows or microsoft. People would of ditched ie6 and whatever else a long time ago.

Just one of the mountain of examples how microsoft has bit itself in the ass.

Having had firefox twice break media player, I reluctantly tried IE7 soon after installing opera after a reinstall. WOW ... The new interface threw me for a while, but the new layout is quite simple and took to bull by the horns and has turned tabbed browsing into quite a simple and effective affair.

Back to the topic, if this issue is serious then MS will fix it.

Opera is my default browser, but IE is now so good to use.

ie6 hasn't been a serious problem for 5 years now? this flaw was discovered in 2003. Is it still 2003 in ms world? Must be, right?

In regards to firefox breaking another app? I have never seen it in two years. I could see ie7 breaking all kinds of things. Pretty much because it pretty much rewrote half the fricken os kernel thanks to it being what navigates windows.

Firefox isn't a easy affair with tabs? 2.0 has a built in spell checker that works on the fly and with add on's available at the click of a button to expand features, who can complain about it? There are very few things that are not compatible with it now. My college classes online, microsoft's outlook web interface, time card management programs and anything that uses active x.

But those are all being fixed to include firefox support at some point I hope ayway. Firefox is here to stay and is getting better all the time with more adoption.

So either your using some weird media player or your telling stories, or you just happen to have done something to break media player, I can bet you money it wasn't firefox unless you installed some extension to interface with it. If that is the case get rid of the ext.

Its a common problem

http://www.google.co.uk/...play.dll+error&meta=

Playing media clips does it, I have managed to clear it twice before but i was wanting to ghost my previous image due to a cleanup after testing a program. I wanted to install IE7 prior to this but firefox made me so mad i tried IE7 first and im glad i did.

"In regards to firefox breaking another app? I have never seen it in two years."

Do you play embedded media clips ?

"Firefox isn't a easy affair with tabs? 2.0 has a built in spell checker that works on the fly and with add on's available at the click of a button to expand features"

As i have previously stated, it breaks WMP intermitantly. I liked the interface, but my alternative choice in regards to security is Opera, which i think is better than FF.

"Firefox is here to stay and is getting better all the time with more adoption."

Good to hear it.

"So either your using some weird media player or your telling stories, or you just happen to have done something to break media player,..."

Weblink provided suggests different ...

"I can bet you money it wasn't firefox unless you installed some extension to interface with it."

Nope ... To be honest i use winamp to play media and only use Media player for embedded content in web pages.

Ok so that is yet another example of microsoft's ego thinking it is the only software company in the world. It is a Windows media player problem and yes I have had that happen on occasion. So yeah point is taken. I thought you meant it breaks windows media player, not windows media clips don't work in it.

"I could see ie7 breaking all kinds of things. Pretty much because it pretty much rewrote half the fricken os kernel thanks to it being what navigates windows."

That statement alone is so innacurate that it makes the rest of your post look as biased an informative as coming straight from Firefox PR dept (although you didn't need that statement to make it look that way anyway).

IE7 rewrites the OS kernel? That's by far the funniest thing I've read on betanews so far...but continue hating MS, maybe when you graduate you'll have a better understanding of how an OS works (although probably not, judging your post you're not in any computer related major).

so what's this fuss all about? I think we all agree, that IE and OE and windows explorer for that matter are not programmes, but system components. obviously, if a library contains a hole, which poses a security threat, all windows components that are using that library will be affected. you know, the services snap-in in winxp is also making use of the IE engine, so maybe it's a security risk too? Are we now going to list ALL the winxp components that rely on this component? MS will fix this issue at the beginning of the next month, when they will release the usual fixes. wait for 2 weeks and if you feel paranoid, pull the plug on your computer. end of discussion.

please stop trying to brainwash people to "pull the plug" on their computer....just use Firefox. end of discussion.

please stop trying to brainwash people to "just use Firefox" on their computers....just use your brain. end of discussion.

So....after hearing all this is it safe to use IE7 or should i continue on IE6 and download IE7 once it has been fixed??

Using IE7 is safe. In fact it's almost impossible to exploit the flaw because it requires the attacker to lure someone to a malicious site, and for the attacker to know what other secure site the visitor might simultaneously have open

Way to spam.

i could be wrong but i think this would also effect IE6 with outlook express as the real problem. And IE7 has other improvements but maybe newer flaws that will come out i'm sure in the near future. Who knows, i have IE7 it seems ok to me. I would think at the moment it is safer then 6.

IE7 in Windows Vista is NOT vulnerable, so the flaw is NOT in IE7 but in Outlook Express 6 in WinXP

lol, good old Secunia. When are they going to realize that they don't matter? They should have closed up shop long ago.

So this is where the platform fanboys run to beat their chests and meet.

Congrats! This is old news. Who cares.

Use the one you like. None of the browsers are perfect. Deal with it.

You know while we all like to sit here and argue what browser is better, whos fault is it, who said what when blah blah blah, the ones exploiting browser weaknesses and infecting the general masses with spyware are lauging all the way to the bank. Just an observation.

I disagree with the argument that just because it's an actack vector puts the blame on IE. Microsoft has to stand behind the fact that IE is inherently more secure than IE6. If they admit that IE7 has a flaw already, then IE's rep stays as garbage. The flaw isn't in IE, it's in OE. If they want to fix it, they have to patch OE, not IE7. Or they have to change the functionality that is making IE the attack vector.

Hmm, its funny that Secunia waited till the day IE7 went final to release this "exploit". No they couldnt have told everyone about it in the days leading up to the release no. They are loyal to FF and want to make IE7 look as bad as possible so IE doesnt take back some of its market share with a better and less bloated, faster product.

You FF fanboys can commense the flaming of my comments.

Agreed. Even the Secunia people imply their obvious bias against Microsoft in their statements, especially since they went public with this exploit before notifying Microsoft yet again.

They could have just written a sign that said "PSSt! Hackers, get Microsoft here!". It is obvious they don't give a DAM about software security, they care nothing for bettering software security--no, they're in it for the publicity and the wonderful 'contributions' they receive from third parties...

"Secunia finds it necessary and reasonable to flag Internet Explorer as being vulnerable if Internet Explorer provides a clear direct vector to a vulnerable component, which is included by default in a fresh clean install of Microsoft Windows," Kristensen writes.

I'm glad the experts are here to set the record straight...since she is misleading the public with the bolded statement, let me clarify--if you have Windows XP "fresh" and "clean", it cannot install IE7, as there are updates needed before it can install. Try installing IE7 from a "fresh, clean" Windows install. Assuming she meant Windows XP w/ SP2 slipstreamed, unless it is SP 2b (OEM and enterprise only revisions), it requires additional updates first.

I'm pickey--but the fact is, they claim to be smarter than Microsoft regarding Microsoft's own product (well, that or they are implying Microsoft is knowingly deceiving the public on this matter), and they are being very 'pickey' in the determination. I'm just responding in a pickey way :)

(deleted "heated" statements)

Hmmm, tested my system(s) and do not get it. I actually prefer IE7 over FF. I find FF to be rather slow and bloated.

I have OE 6 myself, tested in my IE7 RC1 as well as the final IE7...even with Outlook Express open, nope...my system passes. Something with our security settings perhaps?

I don't know about anyone else, but I'm starting to smell BS...

I do not have OE on my PC and my IE7 install passed the vulnerability test. If IE stands on its own and passes, it is NOT an IE issue but rather an OE issue as MS has stated.

Yes, but how do you not have OE installed on your PC? The vast majority of Windows users are going to have OE installed, so I agree with Secunia, it doesn't matter where the vulnerability lies technically. It's unfortunate for MS to have a security problem reported the day after their new browser ships, but an attack vector is an attack vector. If they're really committed to security, the solution should be obvious: fix it.

You can unistall OE through the Add/Remove Windows Components options in the Control Panel.

I like Thunderbird. :)

"Yes, but how do you not have OE installed on your PC?"

Wow--I'd guess you've used Windows a long time, given your expert knowledge :)

Funny...if an attack vector is an attack vector, isn't Mozilla responsible for all problems in Windows that could allow a virus to utilise the Windows exploit while using Firefox? Yup, that RPC vulnerability can still be exploited if you use Windows XP RTM, even with the latest Firefox version. Those cheap lazy bas****s...

This comment makes no sense at all.

How about actually trying that?

If you pay attention, it merely removes access to it from the Start Menu, the same as it does for Internet Explorer and Windows Media Player.

If it truly does remove them, then at 0.0MB of drive space gained, Microsoft has the smallest browser/mail client/media player combo on the planet.

Today, Firefox 1.5.0.7 forgot all my bookmarks for no reason. That bothers me way more than yet another gaping IE backdoor.

This isn't a bug in Firefox, it's a virus that got on your computer.

Exactly.

So you're admitting FireFox allows viruses to sneak in with the user being unaware? If he had a virus through FF, he would have had to override many security warnings, no? So which is it--he doesn't have a virus, FireFox allowed him to get it, or he is just lying to us and purposely deceiving you regarding the bookmarks?

I love the logic used in these debates some times :)

That's happened to me before as well.
Hooray for FF's auto bookmark backup.

I'd be laughing if I weren't too busy trying to figure out how to enable Firefox's built-in virus scanner. :)

Who the hell cares what component of Windows it affects? It could be friggen Calculator for all I care... just determine if it's a legitimate threat or some whiney Microsoft-flaming pathetic excuse for a security company out to make someone look bad... if it's a problem, FIX IT. If it's a whiner, beat them upside the head with a sledge-hammer.

I agree with Secunia's argument.

This type of bad publicity is exactly what we need to force MS to act more quickly. 3 years is a long time for MS to fix a vulnerability.

I wonder if they think it is a serious enough flaw to fix. Firefox has similar exploit that they specifically aren't going to fix since it breaks some of its features.

VikingBlade - please reference the exploit in firefox you're alluding too.

There is no such exploit.

It is all a myth brought on by Microsux fanboys. Just ignore them, they are worthless trolls.

You may agree with them, but even THEY don't agree with themselves. They knew MHTML URLs are handled by Outlook Express, and even tehy say it's an OE vulnerability. They are just trying to create FUD, and call into question the security of IE 7. Notice, the date, and what they have to say themselves:
Secunia Advisory: SA11067
Release Date: 2004-04-13
Last Update: 2004-06-15

Critical:
Highly critical
Impact: System access

Where: From remote

Solution Status: Vendor Patch

OS: Microsoft Windows XP Embedded

Software: Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.x
Microsoft Outlook 2000
Microsoft Outlook 2002
Microsoft Outlook 2003
Microsoft Outlook 98
Microsoft Outlook Express 5.5
Microsoft Outlook Express 6

CVE reference: CVE-2004-0380 (Secunia mirror)

Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!

Description:
A vulnerability has been discovered in Outlook Express, which can be exploited by malicious people to compromise a user's system via websites or HTML emails.

The vulnerability is caused due to a weakness in the way MHTML URLs are handled. This can be exploited to execute arbitrary code in the "Local Machine" security zone with the privileges of the current user.

MHTML URLs are handled by Outlook Express. However, Outlook and Internet Explorer can also be used as attack vectors.

This advisory describes the same issue as:
SA10523

Solution:
Apply patches.

More genius logic at its finest--

betanews User A makes a claim that I have not heard of, so from this I can say with 100% certainty that:

1. User A is a 'Microsux fanboy'.
2. User A is stating myths as fact, intentionally deceiving people, even though we have not heard his response yet.
3. User A is a 'worthless troll'.

Man, I just love it when people can just determine so many things by one comment. Notice I have not and am not calling you a 'Secunia fanboy' or 'Mozilla fanboy' as I can only assume you were speculating and speaking in the heat of your frustration from previous times ignorant people have had blind commitment to Microsoft.

Heh, nice find.

Dangit, I'm so frikin tired of politics...

Quite the hypocritcal post, congrats.

The problem is that IE is hooked into many windows components whereas a third party browser is not and therefore would not be vulnerable to the same attacks.

ROFL. Nice.

Firefox unpatched vulnerabilities:

* Firefox File Upload Form Keystroke Event Cancel Vulnerability
"Charles McAuley has reported a vulnerability in Firefox, which can be exploited by malicious people to trick users into disclosing sensitive information"
http://secunia.com/advisories/20442/ 2006-06-06
Solution Status: Unpatched

* Mozilla / Mozilla Firefox Cross-Domain Cookie Injection Vulnerability
"WESTPOINT has reported a vulnerability in Mozilla / Mozilla Firefox, which potentially can be exploited by malicious people to conduct session fixation attacks"
http://secunia.com/advisories/12580/ 2004-09-18
Solution Status: Unpatched

What percentage of FF's userbase is installed on Windows? I've always wondered that.

This is why I love BN, the constant running battles between the camps.

FF vs IE
HD-DVD vs Blu-Ray
Zune vs iPod
360 vs Wii vs PS3
Linux vs OSX vs Windows
Vista vs XP
Sony vs Microsoft
Apple vs Microsoft
EU vs Microsoft
World vs Microsoft

Ah, what a wonderful world..