Linked by Thom Holwerda on Wed 1st Feb 2006 18:40 UTC, submitted by Jason Scalia
Internet Explorer Microsoft has released the 2nd beta of Internet Explorer 7 to the general public. You can read the release notes, or watch a tour of the new features. Microsoft warns you not to use this beta a production environment: "Evaluation of Internet Explorer 7 should start now, but the software should not be used on production systems in mission-critical environments. Internet Explorer 7 Beta 2 Preview will only run on Windows XP Service Pack 2 systems, but will ultimately be available for Windows Vista, Windows XP Professional x64 Edition, and Windows Server 2003." Update: You might have been expecting this, but there's already a DoS attack out there for this new beta.
Thread beginning with comment 92205
To view parent comment, click here.
To read all comments associated with this story, please click here.
tomcat
Member since:
2006-01-06

ie7 isn't even finalized and security researchers have already found a proof of concept DoS attack that could possibly allow remote code execution. You're sad MS, you're sad.

You might try researching this topic, instead of bloviating. New security provisions built into IE7 render most attacks harmless. Here's why. When IE7 loads, it runs with reduced privileges (ACLs) by default. It doesn't matter whether the user is Administrator or a plain user. So, what does that mean? Even if IE7 crashes and triggers a buffer overflow, any attack is limited in scope to whatever a plain user can do. In other words, code *can't* install malware by modifying the registry, overwriting system DLLs, reading unauthorized data, etc.

The fact of the matter is that this goes *well beyond* the security model of Firefox under Windows. If Firefox crashes due to a malicious plug-in or bug, hackers *own* your machine. Not so with IE7. You will notice that no exploit code has been posted which contradicts my statements. IE7 is going to frustrate security researchers.

Reply Parent Score: 2

FreakyT Member since:
2005-07-17

"New security provisions built into IE7 render most attacks harmless. Here's why. When IE7 loads, it runs with reduced privileges (ACLs) by default. It doesn't matter whether the user is Administrator or a plain user. So, what does that mean? Even if IE7 crashes and triggers a buffer overflow, any attack is limited in scope to whatever a plain user can do. In other words, code *can't* install malware by modifying the registry, overwriting system DLLs, reading unauthorized data, etc. "

True, but that only applies to the Vista version, not the one for XP.

Reply Parent Score: 1

tomcat Member since:
2006-01-06

Not true. XP has the same ACLs. Reduced privileges works on both XP and Vista.

Reply Parent Score: 1