Recent Articles

Windows Vista Picture Clearing Up
Two stories that have been making the rounds over the weekend: First, there was some misunderstanding that Vista's licensing terms have been changed to make them more restrictive and remove rights away from the user.

Intel Creates Super-Spiffy New Chip
The latest prototype from Intel involves some very popular buzzwords - "silicon," "hybrid," and "laser" are all present, and the company's Silicon Hybrid Laser (HSL) chip could act as "a breakthrough that will propel the world of computers into the light-based transmission era."

The Buzz About Virtualization
There is a lot of buzz going around about Virtualization. What is Virtualization, and what benefits does it provide? In this article we will take a look at the technology to see how it can provide a great deal of flexibility and cost effectiveness for IT professionals and software developers.

Troubleshooting Mistakes
The very first part of troubleshooting is identifying the problem. That's not always easy even for skilled professionals. It's definitely not easy for the typical computer user, so when you get the call (we're assuming that you are the professional who gets called with problems), what you are told may not match reality.

Mac OS X Ruby on Rails
I've been ignoring Ruby on Rails for a while now. Oh, I knew I'd have to look at it sooner or later but you know the old saying about old dogs and new tricks. You may have also seen a dog or two being dragged across a floor when they didn't want to go somewhere; that's pretty much the image you should have of me...


10.31.06


Secunia Spars With Microsoft Over IE7

By David Utter

Denmark-based Secunia has brought up a trio of Internet Explorer 7 issues since Microsoft formally launched its new browser, and both sides have traded pointed comments about its vulnerabilities.

Secunia has been a quiet but well-trafficked source for the latest and greatest software problems. Widely used programs like Internet Explorer receive significant attention when they crop up in Secunia's list of problematic software.

I've seen a different side of Secunia over the past two weeks. Company CTO Thomas Kristensen has been a regular inbox visitor with some welcome insights into IE7 flaws reported to and posted on Secunia. On Halloween, the company launched its Security Watchdog blog with, what else, an entry about IE7.

"The Secunia "Security Watchdog" Blog will contain our response and opinions when vendors, researchers, articles, or a research paper calls for it," Secunia announced, and wasted no time in doing so as Kristensen took aim at Microsoft over the most recent find, an old flaw that has cropped back up in IE7.

"Two years, a new release of IE, and still no fix for the "Window Injection" issue," Kristensen wrote. "Users are at risk and Microsoft calls it a non-issue."

Low Rate eCommerce & Retail Plans

It gets better:

In 2004 the organisations behind Firefox, Netscape, Opera, Konqueror, OmniWeb, and Safari all confirmed the "Windows Injection" issue to be avulnerability and subsequently issued fixes for this issue.

IE6 users had to change the "Navigate sub-frames across different domains" setting to protect themselves.

Today, in IE7 this setting has been enabled by default - that is a good thing - but it doesn't work - that is a bad thing!

Microsoft's Christopher Budd responded on their Security Response Center blog that the spoofing vulnerability "actually isn't a security vulnerability" and posted more about it:

This is actually an important design consideration for many websites, especially line-of-business sites, that re-use windows to provide a consistent customer experience. However, an example of how this could be used to mislead users would be for an untrusted site to pop-up a browser window over a trusted site.

To make this compelling, the pop-up window would be created without an address-bar. The combination of these events could then be used to add untrusted content to legitimate-looking pop-up windows in a phishing or spoofing attack.

In response to this issue, Microsoft designed IE7 to always show a pop-up window's address bar. Beyond that, Microsoft leaves it to the user to make the same observations they recommended in 2004: verify the address and an SSL connection when deciding to possibly trust a site.

"Would you really read the full URL and spot the difference and think "ahh someone is "phishing" me now?" Kristensen asked. "Well you may if you are really paranoid - most people aren't and they would easily be fooled." He named six other browsers also affected with the issue in 2004. Five of the six fixed it within six months; the sixth browser took eleven months.

Microsoft is still on the clock.


About the Author:
David Utter is a business and technology writer for SecurityProNews, WebProNews, and InternetFinancialNews.

About CTOupdate
A collection of Articles an news designed to keep professionals in the tech industry informed about the latest developments in an ever changing landscape Tech News and Updates for Tech Professionals

CTOupdate is brought to you by:

SecurityConfig.com NetworkingFiles.com
NetworkNewz.com WebProASP.com
DatabaseProNews.com SQLProNews.com
ITcertificationNews.com SysAdminNews.com
LinuxProNews.com WirelessProNews.com
CProgrammingTrends.com ITmanagementNews.com


 


-- CTOUpdate is an iEntry, Inc. publication --
iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509
© 2006 iEntry, Inc. All Rights Reserved Privacy Policy  Legal

archives | advertising info | news headlines | free newsletters | comments/feedback | submit article



Tech News and Updates for Tech Professionals CTOUpdate News Archives About Us Feedback CTOUpdate Home Page About Article Archive News Downloads WebProWorld Forums Jayde iEntry Advertise Contact