An independent researcher needed just 15 minutes to find the first bug in the Beta 2 preview release of Microsoft Corp.'s Internet Explorer 7 browser.
Tom Ferris, of Mission Viejo, California, published his findings Tuesday just hours after Microsoft released the beta code. His findings are posted at http://www.security-protocols.com/advisory/sp-x23-advisory.txt. Ferris discovered the bug, which causes Internet Explorer (IE) to crash when it tries to read a specially crafted HTML (Hypertext Markup Language) file, using an automated security testing tool, called a "fuzzer" that he wrote to test Microsoft's browsers.
"Whenever they patch, I normally run IE through the fuzzing iterations, just to see if there [is something new]," he said. Ferris posted his findings at 8:30 p.m. Pacific time on Tuesday, the same day IE Beta 2 was released, he said.
Right now the bug can be exploited only to crash the browser, but Ferris says it's likely that his attack could eventually be modified to run unauthorized code on a user's machine.
The vulnerability appears to be exclusive to Internet Explorer Beta 2 browser, he said. "This is a completely new bug. I've never actually seen this in any browser before."
Microsoft was not immediately able to comment on Ferris's findings. A spokeswoman for the company's public relations agency said Microsoft is "looking into this."
Ferris has previously discovered bugs in the Firefox and Safari browsers, as well as in Windows XP, but even he was surprised at the quickness with which this latest vulnerability popped up.
Ferris's discovery is one of the quickest such bug-findings on record, said Mikko Hypponen, manager of antivirus research at F-Secure Corp. in Helsinki. "It's probably the fastest from launch to exploit that I've ever heard about," he said.
Microsoft spent millions to improve its software development process to make it more secure. The company has promoted Internet Explorer Beta 2 as a more secure product. But Ferris believes that his research shows that the software giant still has work to do in this area.
"I think that they're still lacking very common security testing methods. I looked at it for 15 minutes and I was able to find a clean bug," he said. "They still have a lot of work to do."
This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.
Download now »
Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.
Download now »
The emergence of WLANs has created a new breed of security threats to enterprise networks.
Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation
Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.
Download now »
Sign up to receive Applications Resource Alerts
Recommend This
