First IE critical security flaw discovered after XP SP2

Posted By: nektar | Aug 23rd, 2004 @ 12:51 PM
page 2 of 2
Comments: 31 | Views: 19473
#Aug 25th, 2004 @ 4:55 PM
Manip
Manip
Same.. and if your connection is on the slow side you can see the file quickly copying across.
#Aug 25th, 2004 @ 5:54 PM
Keskos
Keskos
Interesting but if I use maxhton (which is the browser I originally tested with) the flaw doesn't work, but if I use Internet Explorer, it does work. I don't know what's the difference but maxhton (myIE2) clearly shows me a warning dialog box. The dialog box maxhton shows is actually an IE dialog box, that is IE shows me the dialog box.

This is a serious security flaw, as serious as the security hole in mozilla.
#Aug 25th, 2004 @ 6:28 PM
Manip
Manip
Why are you testing IE bugs in another browser? That is a pretty silly thing to do.
#Aug 25th, 2004 @ 7:11 PM
Keskos
Keskos
Manip wrote:
Why are you testing IE bugs in another browser? That is a pretty silly thing to do.


I haven't used another browser, maxhton is using IE. It is like mozilla and firefox, they are both the same browser, they are using the same gecko engine. If you find a bug in firefox it is quite likely that it will be in mozilla too.

Also I thought you would be respectful after Charle's warning. What's the problem with you? Why do you continue your attacks?


#Aug 26th, 2004 @ 12:57 AM
strawberryJAMM
strawberryJAMM
strawberrily delicious and user friendly too!
Keskos wrote:
Interesting but if I use maxhton (which is the browser I originally tested with) the flaw doesn't work, but if I use Internet Explorer, it does work. I don't know what's the difference but maxhton (myIE2) clearly shows me a warning dialog box. The dialog box maxhton shows is actually an IE dialog box, that is IE shows me the dialog box.

This is a serious security flaw, as serious as the security hole in mozilla.

Can I assume that, as you mentioned in your first post around trying the proof-of-concept page, that you don't have SP2 installed?  Which, of course, means this bug isn't an "SP2" bug so much as an "IE6.0" bug that wasn't reported (and therfore wasn't fixed) before SP2 was released. 

While this certainly doesn't make the exploit any less troublesome, I do wish someone in the Online Tech News world would actually realize and expose this fact.  One can only hope that, if it is realized that this isn't actually a problem with SP2, per se, the media might lay off with the hoopla since it no longer qualifies as the security journalists' current "holy grail" - finding the first security flaw in XPSP2.  (Well, at least until someone else finds a new candidate for the role).

-=> strawberryJAMM <=-
Jenni A. M. Merrifield
#Aug 26th, 2004 @ 3:37 AM
Manip
Manip
strawberry, I think your giving online media organizations way too much credit. Your completely right, this was a bug in IE6 that wasn't reported and not a bug introduced *in* SP2.

Although I agree with you I also think that Microsoft's publicity about how they have really improved the security in SP2 has really come back to bite you guys in the ass.. like if you said you are 'un-hackable' and then get hacked. I know Microsoft didn't say no exploits would be found but you give the media an inch and they take a mile.
#Aug 28th, 2004 @ 10:44 PM
Keskos
Keskos
Manip wrote:

...And to be clear, your barred from mentioning peoples past mistakes in ANY context ....
....In general I find most of what you say offensive/rude ....
Maybe it is just my local culture and the way I perceive things but that is the way it is.


Charles, right after you try to calm down him, he comes around and attacks more. What's the point if you  warn someone only if he is going to ignore you and do whatever he wants until he calms down?

Manip wrote:
Why are you testing IE bugs in another browser? That is a pretty silly thing to do.


I am simply saying that you should better do something about these problems, because clearly you are being ignored. So far I haven't seen any benefit of being respectful and having a certain tone. I am keeping a certain tone only because you personally told me that you would step in and remind people to be respectful. But so far all I see is really nothing changes. Absolutely nothing. I ignored "troll" attack, then another attack comes in, and then another one.

Here is a real and clear suggestion:

1) If someone thinks another person is attacking him for some reason, he should ask for an explanation instead of attacking.

2) If someone makes false claims against another person, like he has multiple accounts, he is cheating, he is calling people liars, racists, bigot etc... he should either back up those claims or apologize.

3) If someone is being attacked, after you warn people, they should get over it and never make a retaliatory attack against the other person in anyway.

4) For something to be considered a personal attack, it should contain an insulting word, a made-up claim that puts somebody down, or clear out statement that implies that the other person is less capable one way or another.

These rules should govern the way people conduct themselves in these boards, so we don't have to hear the insulting words over and over again, or remarks which have no point but to annoy others.

Please provide input if you think I am missing something, or if there is something you disagree with my suggestions.
page 2 of 2
Comments: 31 | Views: 19473
Microsoft Communities