Four New "Extremely Critical" IE Vulnerabilities

  1. It is possible to redirect a function to another function with the same name, which allows a malicious website to access the function without the normal security restrictions.

Successful exploitation allows execution of arbitrary script code in the context of another website. This could potentially allow execution of arbitrary code in other security zones too.

  1. Malicious sites can trick users into performing actions like drag’n’drop or click on a resource without their knowledge. An example has been provided, which allows sites to add links to “Favorites”. However, resources need not be links and the destination could be different than “Favorites”.

  2. It is possible to inject arbitrary script code into Channel links in Favorites, which will be executed when the Channel is added. The script code is executed in Local Security Zone context.

  3. It is possible to place arbitrary content above any other window and dialog box using the “Window.createPopup()” function. This can be exploited to “alter” the appearance of dialog boxes and other windows.

Successful exploitation may potentially cause users to open harmful files or do other harmful actions without knowing it.

Disable Active Scripting.

Use another product.

Posted 'cuz I care.


A friend at work saw this news on Slashdot today and immediately downloaded and installed Firefox. Then I did the same, although I think I’m still going to stick with Avant here at home.

Kind of funny security warning, since this is all just regurgitated and a scare added to MS’s own warning and patches today.

So while i am not a fan of MS, a better move would have been to download the patches first, then firefox.


There are ways to actually remove the unremovable-it-will-break-the-OS-Internet Exploder. That’s the route I chose for my personal hardware. For customers, it’s patch, have a firewall, use Firefox, yada yada.

From Infoworld (article here):

Internet Explorer has held more than 95 percent of the browser market since June 2002, and until June had remained steady with about 95.7 percent of the browser market, according to WebSideStory’s measurements. Over the last month, however, its market share has slowly dropped from 95.73 percent on June 4 to 94.73 percent on July 6.

A loss of 1 percent of the market may not mean much to Microsoft, but it translates into a large growth, proportionately, in the number of users running Mozilla and Netscape-based browsers. Mozilla and Netscape’s combined market share has increased by 26 percent, rising from 3.21 percent of the market in June to 4.05 percent in July, Johnston said.

[size=2]Originally seen at Ars on July 13[/size]

And what exactly does losing the browser war mean to Microsoft? The company doesn’t sell it, it doesn’t generate revenue at all.

I’d like to see more then the two data points they’re providing for the last 2 years though.

The browser war for MS was a defensive fight. They had to win it to maintain O/S monopoly. The path of O/S monopoly for MS has always been control of the developers and development paths.

With the introdction of javascript and applets and so forth, Netscape Navigator was starting to look like an application platform. An application platform that would run on all manner of O/S’es, not just Windows. The fear was that web based applications would become ubiqutious and corporate IT departments would start realizing they could run their same applications on Linux + Netscape for less money than Windows + Netscape. MS decided that the browser needed to be a proprietary technology that locked people into Windows. So they set out to accomplish that end with IE, and succeeded to some degree.

They’ve been losing that battle for a while. See How Microsoft Lost the API War.