Tuesday, February 27, 2007

Rant Re: "Microsoft probes IE 7, Vista bug reports"

I have seen so many blog posts the past couple of days incorporating the title Microsoft probes IE 7, Vista bug reports, copied from a ZDNet article, that I am beginning to wonder if people are reading what they are copy/pasting or even giving the articles much more than a cursory glance.

Obviously, ZDNet was practicing a bit of headline grabbing by specifically using the words "Microsoft" + "probe"
+ "IE7" + "Vista" + "bug" in the title of the article. Even more obvious, too many others (whether reporting services or individuals) did not read the article either or chose to go on with the headline grabbing. As of this posting there are 82,100 search results for "Microsoft probes IE 7, Vista bug reports".

The reality of the French Security Incident Response Team alert
FrSIRT/ADV-2007-0713 is that there is an Internet Explorer vulnerability which could be exploited in phishing attacks. This vulnerability affects both IE6 and IE7. According to the ZDNet article, Microsoft is quoted as saying:

"The IE flaw could only be exploited if an attacker were to lure a victim to a malicious Web site and then persuade the user to enter the address of a trusted site into the address bar. "Customers can avoid this attack by opening and using a new instance of IE before visiting an untrusted site," Microsoft said.

ZDNet explains the Windows issue as being "due to a problem with a component that does not properly validate user permissions", further indicating that this "could be exploited by an attacker with access to the machine to get information on protected files." The FrSIRT/ADV-2007-0701 alert reports states that Microsoft Windows Server 2003 SP1; XP SP2; 2000 SP4 and Windows Vista are affected.

It is, however, important to note Microsoft's explanation of this low-risk vulnerability:

"The Windows problem, aside from requiring the attacker to be logged on to the vulnerable computer, appears to only expose file information, not the actual contents of the file, Microsoft said."

So what is the real headline?

Microsoft is investigating two recently disclosed low-risk security vulnerabilities that affect Internet Explorer and the Windows operating systems.

No comments: