Print this article  |  E-mail this article  |  Comment on this article

Microsoft Confirms IE7 Address Bar Flaw

By Ed Oswald, BetaNews

October 26, 2006, 12:18 PM

Microsoft confirmed a vulnerability Thursday in the address bar of Internet Explorer 7. First reported by security firm Secunia on Wednesday, the issue occurs in popup windows. It is possible to display a somewhat spoofed address bar, the company said.

Due to this issue, a specially crafted URL with special characters may hide portions of the address. This could open the user up to attacks, including performing actions that it may not be aware of. Secunia has rated the issue as "less critical," its second lowest rating.

No attacks using this flaw are currently known, Microsoft said. It also recommended users make use of the Microsoft Phishing Filter that is included within IE7.

"The Microsoft Phishing Filter online service is designed to allow us to update it fairly quickly with information as sites are reported and confirmed by us," Christopher Budd of the Microsoft Security Response Center Blog said.

"We do have this issue under investigation and as always, once we complete our investigation we'll take appropriate steps to protect our customers," he continued.

However, Budd downplayed the flaw, saying Microsoft's research showed the full URL can still be displayed by clicking in the browser windows or address bar, or scrolling within the address bar.

Add a Comment (50 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By shara2

edited Oct 27, 2006 - 1:26 PM

This has been a inconvenience to me and the family. Navigation problems have occurred and it seems impossible to uninstall and reinstall the last software. We are waiting patiently for the corrections. I know that this happens we support the technicians and their efforts are appreciated. I thank you for this article because sometimes just hitting the wrong area or button can setoff unwanted events when dealing with computors. This article let me know that I was not in error. Thank you again.

Thank you

Score: 0

By sophist_dreams

posted Oct 30, 2006 - 8:23 AM

Microspud admits there's a flaw in IE7 and OBTW they are going to include it in the next round of auto updates in an attempt to force users to use FLAWED software. I'm beginning to think the idiots at Microspud are the real hackers in the world.

Score: 0

By anmol.2k4

posted Oct 30, 2006 - 11:19 AM

isn't anti-phishing technology going to stop ppl to access such websites in the first place.

there may not be cure but it is still preventing it.

Score: 0

By anmol.2k4

posted Oct 30, 2006 - 4:25 AM

I for one like IE7, and am hoping ie4linux2.0 team release it sooon. Cant wait.
And this is my gut instinct that with simple things like anti-phishing tech and pop up blocker will make Internet a safer place for most ppl as most of em are not power users.
But there is one tiny problem IMO, point out if i am wrong.
a) ipv6 (vista)
b) DNS requests
c) checking whether site is malicious or not.

all this will slow down browsing for most user.
and soon there will be a patch.
i know there is no better solution still........
i am sure few will start crying "Internet soo slow"

Score: 0

By Registered

posted Oct 28, 2006 - 12:53 PM

there are to many hackers that don't like microsoft,

and the biggest reason hackers and crackers don't like microsoft, is they keep attacking the little person, look at how many software subjects they have entered, and they still are not happy,

there product range is huge, and still they are getting into more and more, they just can't let a simple small company have a great peice of software and leave them to it,

microsoft are to big for there own good,

they are in to many subjects,

file compression,
video compression,
picture compression,

and this is just on compression alone, if i was a attacker i to would choose to make microsoft my enemy, and not for a single second would i want to attack a small little company like mozilla,

microsoft has brought this on them selves, they keep attacking people (of course legally) and trying to monopolize the IT industry, so hackers and crackers constantly attack them (illegally of course),

if one looks at microsoft product range, the picture is easy to see, they want there products the leading software in every single IT subject,

they are to selfish, and although they have the right, it's unethical and can't be justified, i would hate to think how many product companied they have made go bust,

last i heard there next target is PDF file format, as in there now going to creat software that does what Adobe PDF does,

why, PDF works fine, and has been working fine for ages, there is nothing wrong with PDF, but again this is a prime example of what microsoft stand for, if they can they will,

which is wrong, the question should be, just because we can, doesn't mean we should, can they justify now going against PDF, "i say no"
PDF works fine, and if they think that they can bring more compression to the world, please, there CAB compression is crap, RAR, ACE, 7zip all beats CAB compression, and works x2 faster,

microsoft are bullies, selfish, and think of themsleves as leaders of the computer world,

i hear and now say that Internet explorer (10 years in development), will never be as sucure as Firefox (3 years in development) because of the above,

i will say this though, firefox being so young, can not only keep up with the long developing Internet explorer, but in many cases beat internet explorer,

now that is funny, i'm sure you all have to agree with that, and this is where firefox deserves credit, because imagine how firefox would be if they had a extra 7 years of develpment on top,

most people don't want to attack the smaller browsers, they want the big boys, who ever that is, and in this case, (as with most cases) microsoft is the main target,

IE 8
IE 9
IE X

none of them will ever be secure enough to risk doing online banking, not ever,

it's a bold statement, but no more than what MS keeps doing,

how many times as MS claimed that this version of IE is the most secured yet, but within hours after release, they have to release patched to correct security holes, they should be sued for lying to there coustomers, and advertising false claims,

come on firefox, your small, have not much resources, and have far less developing experience, but your doing a great job, and i'm for one supporting you (i love seeing the small guy give it the big guy, nothing is better to see, then the bullies getting there own).

live long and prosper mr FireFox.

Score: 0

By Mutal1ty

posted Oct 28, 2006 - 7:33 PM

Here's the thing, 99% of the hackers aren't "attacking the browser" they are "finding loopholes, and ways around microsofts security to attack (or severely piss you off in the case of spyware) YOU ... NOT the damn browser. and they aren't doing it "because they hate microsoft" Its because no matter how much the other browsers improve or expand.. they will always be "an option" something someone has to download and install on the OS that you already have. and because of that the most used browser by FAR is STILL IE, THATS why it is targeted....

The hackers...they are doing it because they have a goal, to get either force information on you through spy ware or malicious code that guarantees you get thier pop ups and in turn make them money OR they want information from you like say, your browsing habits to determine what spam you'll click or even your financial info so they can steal your identity and your money.

and as for microsoft attacking the little people? lol well its not so much as "attacking" as learning from 3rd party ideas and innovations and improving them to keep their own products more desirable, Tabbed browsing, popup blockers, phishing alerts, all of these may have been implimented by other people but they are all the evolution of internet browsing due to the growing hostility and aggressivness of the small "evil" people who are finding the internet a whole wide new world for crime and easy money. Tabbewd browsing though... they just ganked that one lol. But hey, ie7 would just suck without this resource saving addon..

I for one can't stand microsoft for the simple fact that I have spent many many a nights reinstalling thier OS due to corrupt files, blue screens of death, etc. But I can also say that they have come strides since windows 3.11->95->98->XP, and I have to admit that with my experience has come the vivid fact that their OS has become MUCH more stable, and I am confident Longhorn will be even MORE so. I remember doing scheduled backups, formats and reinstalls of my home pc because 95, and 98se were so unstable after 4-6 months of daily use.. after the 1st service pack in XP I stopped doing it. Now I only do a clean install after upgrading my MOBO/CPU. So you see even though they are hated by everyone and their mother, they are in the end a BUSINESS, with a PRODUCT, and they have GOALS and PROFIT MARGINS to meet and STOCKHOLDERS to please. Its a dog eat dog world and Microsoft is the Big a** Bear with a velcro tail and a practiced bark. If you wanna compete, buck up l3itches join forces, quit fighting amongst your selves, its gonna take more than one doberman to take down a bear.

Score: 0

By utomo

posted Oct 28, 2006 - 12:12 AM

microsoft need to fix it soon, before forcing user to use IE7.
after they get the IE 7.01 safe, they need to include this on windows Xp CD built in. this will reduce the download load which is too big for people using the dialup

Score: 0

By Mutal1ty

posted Oct 28, 2006 - 6:55 AM

lol......... Dial up users?..... They still make you?

Score: 0

By Desides

edited Oct 28, 2006 - 9:07 AM

Something like 40% of US-based internet users are still using dial-up. That's one of the main reasons why, say, Mozilla has made keeping Firefox's download size under 5MB a requirement before shipping.

Not everyone lives in big cities like New York, you know.

Score: 0

By WayneWare

posted Oct 27, 2006 - 10:16 AM

When is MS going to get it right? For Christ's sake....all we want is safe software.

Score: 0

By Mutal1ty

edited Oct 27, 2006 - 11:58 AM

Read my rant, for the most part the software IS pretty safe, it has come strides learning from its own and other 3rd party browser mistakes and shortcomings, this flaw is an address spoof, only retards fall for spoofs, are you a retard?

Do you actually click and enter your password and user name when you get some email that says "ZOMG! j00 and some other f00s accounts got hacked, please click THIS --> (spoof link) So we can verify you are you!"

If so.... Give you computer to someone less fortunate and with more common sense, and go buy yourself an etch-a-sketch and have some shortbus shakin fun.

Score: 0

By foxfyre

posted Oct 27, 2006 - 7:57 AM

News? I thought this was part and parcel with the established release schedule of MS.

Score: 0

By gilligan

edited Oct 27, 2006 - 5:54 AM

A bug in EI7? All what I have to say is "ALREADY!!". Since I've been using FF, I totally forgot about IE!! I don't even know it still exists!! God bless you FF and keep up the good work!!!

Score: 0

By cranbers

edited Oct 26, 2006 - 7:56 PM

Ah well it was just a matter of time right. Too bad it was days after it was released. Thanks to wga there will be a whole lot of people not upgrading to ie7 even when they push it out via the update service. So I guess firefox is here to stay and ie7 is going to be a novelty.

We do have to give microsoft credit for actually releasing a update to ie. i mean with the market won they didn't have to do jack. The internet itself could stagnate for the next 50 years because were all stuck using ie6 on windows xp and microsoft is still raking in another billion in profit per quarter for doing nothing more then letting its stale, monopoly os sell itself.

Let's all pray to the firefox god for making this possible, without it. We would still be waiting for vista and using ie6 on xp indefinitely.

Score: 0

By THZGryphon

posted Oct 26, 2006 - 9:59 PM

"So I guess firefox is here to stay and ie7 is going to be a novelty."

Ignorance is bliss aye cranbers?

Score: 0

By cranbers

posted Oct 27, 2006 - 2:22 AM

so you honestly think ie7 would be here now if it wasn't fore firefox? Also considering firefox has nothing but word of mouth to carry it along its at 10 percent of user base now, that must show something eh?

Score: 0

By Desides

posted Oct 28, 2006 - 9:08 AM

"so you honestly think ie7 would be here now if it wasn't fore firefox?"

Competition spurs progress. You blast Microsoft for being lax with IE as if that kind of situation has never happened before.

Score: 0

By Mutal1ty

edited Oct 26, 2006 - 6:22 PM

Microsoft the company everyone loves to hate(me included), but isn't it funny how "IN the spotlight" these guys are?

I mean cmon FF, opera, etc all come out, have a flaw here and there, some may be published if ultra terrible, but if microsoft leaves a vulnerability that some DeeDeeDee with the IQ of a Hair dryer would fall for from some link by Nigerian royalty that oh so luckily was sent to HIM(most likely HER), who can't even speak ENGLISH, let alone spell the name of his own country, in some email.... then all hell breaks loose and every tech news site, and even cnn.com says.. ZOMG, microsoft is trying to destroy us, SEE I TOLD YOU THEY SUCKED!... ok.. thats enough, we all know microsoft IS a monopoly they DO own 90% of our souls and they AREN'T going anywhere any time soon... so lets just let it be Shut the F**K up and let them stock pile some more cash to open awsome tech schools for misfortunate kids, and donate money to save 3rd world countries, oh and to get rich some more.

I'm sick and tired of hearing about every god d*** bug found in microsofts software.... I'm not a retard, I don't click f**ked up or suspicious links, I DO know the extensions of filenames so I know, Titsnass.jpg.exe IS NOT a picture. There are companies out there who make an assload of cash on their software who are just as bad and in some cases WORSE than microsoft, Case in Point Realnetworks entire piece of s***, and half the games that ar on the market, hell and even some of corels s***. So get this $hit OFF the news, go find your patch and get on with life.....

Score: 0

By Desides

posted Oct 28, 2006 - 9:09 AM

"but if microsoft leaves a vulnerability that some DeeDeeDee with the IQ of a Hair dryer would fall for from some link by Nigerian royalty that oh so luckily was sent to HIM(most likely HER), who can't even speak ENGLISH, let alone spell the name of his own country, in some email.... then all hell breaks loose and every tech news site, and even cnn.com says.. ZOMG, microsoft is trying to destroy us, SEE I TOLD YOU THEY SUCKED!"

You just defeated your own "logic" there. If an exploit is likely to be abused, that kind of makes it important, doesn't it?

Score: 0

By Neoprimal

posted Oct 27, 2006 - 1:08 PM

Hahaha. Well then....I would have to agree completely.
It seems that while many sites publish flaws in software, MS tends to get all the publicity for the most minor stuff. I'm not complaining, I mean - what else can we expect when you're on almost every computer out there right? It's kind of like Brad Pitt and Angelina Jolie expecting to get any semblance of privacy in a 24hr. Wal-mart. It's not gonna happen. That being said, it just gets old hearing about the tiniest flaws that are going to be fixed with the next patch anyway.
Now if it's a major "this will allow so and so to delete your hard drive's contents" or something, then yeah I'd like to know about it and what I can do to prevent it, other than the common sense anti-virus/firewall/anti-malware solution that every PC user already knows about.
But I suppose in the long run, news is news and sometimes you have to scrape at the bottom to get any kind of story.

Score: 0

By cranbers

posted Oct 26, 2006 - 7:50 PM

Damn, now that is a rant.

Score: 0

By huttman

posted Oct 26, 2006 - 4:30 PM

Spoofing Bug

http://www.zdnetasia.com...9044215,61962473,00.htm

Score: 0

By THZGryphon

posted Oct 26, 2006 - 5:26 PM

A link to the same story....

Score: 0

By digitalmastermind

posted Oct 26, 2006 - 4:09 PM

Oh come on everyone what kind of company would release a product with flaws? Really come on.....

Oh wait...Microsoft would... WOW I'm so shocked!!! Can't wait until Vista comes out.

Hack Microsoft everyone since they make it easy to do!

Score: 0

By cooldude7273

edited Oct 26, 2006 - 6:11 PM

What they said...

Everything is released with bugs...

Score: 0

By jbaltz69

posted Oct 26, 2006 - 5:31 PM

Your SOOOOO RIGHT! I mean, I've never seen an OS X bug, a Linux bug, a FireFox bug, the list goes on and on. Man, Don't you find it odd that Microsoft is the ONLY company that releases buggy software? I'm going to file a case in a Federal court and get an injunction that makes them stop the sale of all their software!

Score: 0

By wincement

posted Oct 28, 2006 - 1:56 AM

Good luck with that.

Score: 0

By THZGryphon

edited Oct 26, 2006 - 9:58 PM

Mozilla released a product that needed no fixes?

Score: 0

By foxfyre

edited Oct 27, 2006 - 7:56 AM

Change that to "needed so many fixes for significant problems in such a short span of time" and it would be hard to list them all! ;-)

Score: 0

By Grazer

posted Oct 26, 2006 - 4:36 PM

Oh come on everyone what kind of company would release a product with flaws?
You know of a software company that doesn't?

Score: 0

By wincement

posted Oct 26, 2006 - 5:25 PM

Precisely

Score: 0

By SorenMD

posted Oct 26, 2006 - 4:04 PM

ZOIKS!

OH NOZERS!

Not another MS/IE flaw! HAHAHAHAHAHAHAHAHAHAHA

Score: 0

By skags442

posted Oct 26, 2006 - 2:22 PM

well IMO both FF and IE have a flaw that well most likely never be fixed.... THE USER

Score: 0

By PC_Tool

edited Oct 26, 2006 - 3:07 PM

lmao...

Best comment yet.

Score: 0

By Secret Agent Man

posted Oct 26, 2006 - 1:31 PM

A vulnerability in IE 7, eh? Brace yourselves, these comments are gonna get ugly.

Score: 0

By bourgeoisdude

posted Oct 26, 2006 - 1:35 PM

I'm sure that it is just a matter of time before this happens with FF 2.0 as well--

--most of the immediate flaws with IE7 and FF 2.0 will be stretched truth at best, because fanboy hackers "have" to find flaws in new products that are touted as "most secure". They will find flaws in these even if the products were perfect, because they live to destroy...

Score: 0

By Paradise-FH-

posted Oct 26, 2006 - 1:39 PM

good lord. calm down.

Score: 0

By bourgeoisdude

edited Oct 26, 2006 - 1:17 PM

When Secunia rates a Microsoft flaw as "less critical", you know they had to reach waaaayyyy down to the bottom of the barrel to dig this up.

Shame the bas****s don't actually care about security--they only want to reveal flaws right after the product is released.

1. Pop-up address issue, meaning you'd have to disable popup blocker;

2. "somewhat spoofed address bar" != "spoofed address bar"

3. "No attacks using this flaw are currently known, Microsoft said.". Admittedly, Microsoft is expected to defend their new product, so perhaps this is a grain of salt...

4. "the full URL can still be displayed by clicking in the browser windows or address bar, or scrolling within the address bar."

So really--Secunia "had" to find something wrong, else those Mozilla fanboys wouldn't pay the bills--er, I mean, otherwise IE7 might 'look' better than FireFox...

By the way, just as IE7 is attacked, it seems FireFox is being attacked as well--not by hackers, but by security companies that want nothing more than to destroy whomever it is they dislike: http://www.tgdaily.com/2...fox_20_secutrity_issues/

Score: 0

By Paradise-FH-

posted Oct 26, 2006 - 1:38 PM

the popup blocker doesn't block every popup. a user could click on a link that opens a popup and have this problem ... at least that's my understanding.

can we keep the vast right-wing conspiracies down for just a little while too?

Score: 0

By Frostek

posted Oct 26, 2006 - 12:37 PM

Whilst I expected this sort of thing, it's happened a lot sooner than I was expecting...

Score: 0

By THZGryphon

posted Oct 26, 2006 - 1:08 PM

Funny Secunia withheld the information until final release and promotion to announce their discovery. I doubt the address bar tech has changed since beta. Secunia is quite tainted.

Score: 0

By dwaterman

posted Oct 26, 2006 - 6:10 PM

I wouldn't think Secunia would analyze beta releases. Seems like a waste of time to me.

Score: 0

By THZGryphon

posted Oct 26, 2006 - 9:57 PM

This isn't joe bloe's desktop notepad beta app with 10 downloads.

Score: 0

By dwaterman

posted Oct 27, 2006 - 8:05 AM

It is still not a finished product.

Score: 0

By templarâ„¢

posted Oct 26, 2006 - 1:48 PM

i think so too.

Score: 0

By Kamika007z

edited Oct 26, 2006 - 1:57 PM

Yeah, well said. I call it a security firm that wants to make themselves look rather useful and important.

Score: 0

By mjm01010101

posted Oct 26, 2006 - 5:35 PM

Once again shifting blame from the vendor to the security company. Yikes. Perhaps the security companies should just stay quiet and we'd all be better off.

Secunia reports thousands of software products. It's not their fault the IE flaw is in there in the first place.

They didn't have a press release about it.
They didn't spam everyone that IE7 is out like MS did.

What a joke ya'll are.

Score: 0

By Desides

posted Oct 28, 2006 - 9:10 AM

I believe his point was that Secunia had ample time to publish this flaw, but waited until after IE7 was published to disclose it.

Score: 0

By THZGryphon

posted Oct 26, 2006 - 9:54 PM

You are so biased against MS you are making things up, as usual. Who said MS had no blame in this thread? What does MS having a press release or advertising about their product have to do with anything in this thread regarding Secunia's poor performance?

You are worthless and jaded mjm01010101.

Score: 0

By rp001

edited Oct 28, 2006 - 6:53 PM

Secunia first raised an alert for this vulnerability in April 2006. It was never fixed in IE 6 and ignored again in IE 7. So Microsoft knew about it and figured it is nearly impossible to exploit this flaw, so didn't bother to fix it.

Score: 0

Sep 5 - 8:44 PM ET Mozilla's Aza Raskin: The journey back to Ubiquity

Sep 5 - 7:10 PM ET Red Hat buys virtualization specialist Qumranet

Sep 5 - 7:06 PM ET Analysts: Online news viewers rising as newspaper readership falls

Sep 5 - 6:55 PM ET Where does Sarah Palin stand on technology issues?

Sep 5 - 6:51 PM ET Adobe Flash to deliver NFL games in full

Sep 5 - 4:29 PM ET Exclusive beta invitation from GameTap and BetaNews

Sep 5 - 4:09 PM ET Report: OLPC buy one, give one deal returns

Sep 5 - 3:45 PM ET No ruling yet in TiVo vs. EchoStar patent case

Sep 5 - 3:37 PM ET Google Analytics starts tracking Chrome, with intriguing results

Sep 5 - 2:14 PM ET Comcast challenges FCC's authority in sanction appeal