IE8 still vulnerable for old hole!

Hi malware fighters,

A cross-site scripting-hole that seemed to have been patched in IE8, apparently is still there.
The hole that makes browsers vulnerable to UTF-7 XSS attacks has been reported since February of the year 2007 ( http://secunia.com/advisories/24314/ ),and has been patched in Firefox 2.0.0.2 and in Opera 9.20. Recently it seemed the hole had been patched for IE8 as well. But the Microsoft browser still has this vulnerability.

This is reported by Inferno on his blog and he also adds a POC there, that actually works in IE8, but not in Firefox: http://securethoughts.com/2009/05/exploiting-ie8-utf-7-xss-vulnerability-using-local-redirection/

Inferno further reports that he contacted Microsoft security and they are working to patch it. The fix will appear in the next edition of the MS browser: IE9.

next edition of the MS browser: IE9

ooh. can’t wait for that. ::slight_smile:

Guess this can’t be fixed with a simple patch?

So in the meantime no patch for IE8 (which I still haven’t installed yet nor IE7), one wonders just how long it will take for IE9 ???

Perhaps I’m a little too cautions in waiting for the wrinkles to be ironed out I was just thinking IE7 was stable when some sod released IE8, so the waiting game started again for wrinkles to be ironed out, now they are touting IE9.

God I wish they would totally get rid of the integration of IE into the OS, because that is the only reason I even consider an IE update.

Hi DavidR,

I think that will be very hard for them to do, and also this will not be welcomed by third party software developers that took the easy way out to make their software dependent of the IE-shell, the IE- windows-api’s and the IE-renderer-Trident, and will find themselves in a predicament when Microsoft have to follow up EC regulations and make their OS browser independent, their software will be downgraded to crap and they will have to follow certain standards for which MS always found their own. If it will come to this finally, they might have known the sword was hanging over their heads since MS integrated the browser so deep into the OS like with XP. For Windows 7 they seem to have gone back so the help function is no longer IE dependent as is the search function, so nearing EC regulations in these respects, taking Trident out and making the rendering engine also optional will be more of a problem. And what the actual situation is only Microsoft knows, because their source is closed source, so we are not fully aware of the problems there.
They knew beforehand they were on the slippery slope since they narrow escape with IE in the days of Win95/Win98. Now that IE became such an important part of a computer set-up and an OS without a browser is a handicapped OS, the situation is quite different.
Another argument for them is they want their own solutions to prevail. Web 2.0 online apps and OS independent faster rendering browsers aren’t particularly welcomed by them, that is why they think HTML-5 is a good thing. Getting IE out of Windows OS will be a nightmare, because it will mean a threat for Microsoft’s vendor lock-in, and that is something they do not want to loose,

polonus

I honestly don’t see why it would be so hard, what happens in Linux or OSX, they quite happily run without having an integrated browser and third party software engineers got on with working with the existing resources.

The OS would consequently have to use something other than the IE Shell for windows explorer rendering, but that shouldn’t really be a big deal either. Isolating the browser from the OS in my eyes is an essential security issue so that exploiting the browser doesn’t mean you may also have exploited the OS.

So as you point out, the real problem has nothing to do with how difficult it might be to do so but the potential loss of market share. They would still bundle IE with windows as the user would still have to have a browser if for no other reason but to find an alternate.

I don’t see the EU kicking up about (bundling IE, they may have to also bundle others, now there’s fun) that or they already would have with it embedded into the OS, when essentially it isn’t required. Then we would see IE taking much longer to start-up because it isn’t already half loaded with the OS on boot.

Hi DavidR,

At least GoogleChrome seems to have understood that, so much so that flock also wants to opt for the GoogleChrome code with their following version of the Web 2.0 browser. The biggest threat to MS monopoly position would be a considerably faster competitive browser engine and online apps to threaten their bundled software folio, like Office, MediaPlayer etc. (again their biggest asset is vendor lock-in)…
I know the following essay is not completely without bias, and if only 10% is relevant the EC has some issues here, so I present this read here without MS-bashing in mind:
http://www.ecis.eu/documents/Finalversion_Consumerchoicepaper.pdf
So again take the information as presented above “cum granis salis”,

polonus

I’m so glad I’m using Opera ;D while peeing on IE :P, only used IE for MSW update only.

Hi malware fighters,

Microsoft also introduced the IE8 Standards Mode

When last month we found that the latest version of IE, IE8 ,could render the ACID2 test correctly, everybody at least for that moment was optimistic about the future of the browser. Then one found out, that Microsft repeatedly said that IE8 would only render the Acid2 test correctly in IE8 Standards Mode.

Further information about this issue was presented in the form of a comment by Chris Wilson, the IE Platform Architect, who announced that considering the problems experienced when changing from IE6 to IE7, Microsoft wanted to use a specific opt-in flag for IE8, the so-called IE8 standards mode: the X-UA-Compatible header. And that mode will look accordingly:


HTML: 
<meta http-equiv="X-UA-Compatible" content="IE=8" /> 

Or in the form of a HTTP Header:

 PLAIN TEXT
CODE: 
X-UA-Compatible: IE=8 

Without this X-UA-Compatible header IE8 will render like IE7 does, so websites that were designed with IE7 in mind will not fail in IE8. New doctype documents, like HTML5 will be rendered in IE8 Standards mode.

Like with everything concerning the IE browser there were various reactions, like the obligatory “this is rather stupid”, as “ït cannot be helped, let it be so” and “I think this was the best decision they could take”,

What do you think here? On the one hand this seems the only way that people will upgrade to a newer version of the browser anyway, on the other hand it poses some extra limitations and we are confronted with an IE specific option to determine the way Internet Explorer will handle “standards”, Mozilla will make the switch to HTML5 gradually as two main developers of the Mozilla browser stood at the cradle of HTLM5, one being David Baron,

polonus