IE7 Bug Reports Flooding In

the JoshMeister writes "According to ZDNet, bug reports are already flooding in for Microsoft's new Internet Explorer 7 Beta 2 Preview. Specific issues include the possibility of arbitrary code execution as well as incompatibilities with McAfee Security Center, anti-spyware programs, and online banking sites." From the article: "... browser testers may already be at risk, according to security researcher Tom Ferris. Late Tuesday, Ferris released details of a potential security flaw in IE 7. An attacker could exploit the flaw by crafting a special Web page that could be used to crash the browser or gain complete control of a vulnerable system, Ferris said in an advisory on his Web site. Microsoft had no immediate comment on Ferris' alert."

Duh!

[sparkydevil (261897)]

Of course it's got bugs -- it's a beta!

Re:Duh!

[dotpavan (829804)]

its a preview to the beta 2! wait for the beta 11 preview 46, its better

Re:Duh!

[by Anonymous Coward]

Well yes it is a beta and for that its not expected to be perfect. However this is for a product that is supposed to be secure by design, not by patching a million leaks like in the previous release of IE. I find it quite unacceptable to be finding major security issues so quickly.

Re:Duh!

[tassii (615268)]

Of course it's got bugs -- it's a beta!

I think the notable part is its the same bugs as IE 4 had.. and IE 5... and IE 6...

Re:Duh!

[walt-sjc (145127)]

So what ever happened to "trustworthy computing"? I believe the userbase would really like to see MS redesign IE from the ground up, much like what happened to netscape / mozilla. While it's no small effort, we are talking Microsoft here - it's not a cost issue. Perpetuating a design that has NEVER emphasized security just seems like the wrong thing to do - especially when it's "an integral part of the operating system" (as MS claims.)

Re:Duh!

[Junior J. Junior III (192702)]

That's what I was going to say, bug reports flooding in are a sign of a successful beta test. I wonder how many of them Microsoft will actually be fixing, though... that's kindof the whole point of it all.

Re:Duh!

[plague3106 (71849)]

Why would you use a beta for production work at all?

Wow

[saboola (655522)]

A beta of a Microsoft product has bugs? Color me surprised!

Re:Wow

[ucahg (898110)]

A beta of anything better have bugs. Otherwise the testers aren't finding them because they are most certainly there.

I don't even see how this is a news-worthy... it's a beta!

Bug reports already?

[VJTod (563763)]

It's beta software. Of course there will be bugs. The public B2 is much better than the leaked B2 which was still better than B1.

Taken with grain of salt... it's still beta.

good!

[steve.m (80410)]

sounds like a productive beta test. end users finding lots of bugs.

(anyone who would use it - or anything else beta - in a production environment is insane)

OMG....

[Lxy (80823)]

How can this be? How can BETA software have bugs? This must be a conspiracy. Call CNN. Get Faux News on the phone. this is a STORY!!!!

Of course it has bugs. Grow up already.

Security is Job 1?

[InfinityWpi (175421)]

This just goes to prove that Microsoft's newfound 'dedication to security' and focus on writing code with less bugs in it is just a pure crock of doodie. Obviously, if they opened their source and let us all look at it, we'd be glad to help them find and iron out all the bugs by releasing several dozen exploits into the wild at the same time. My god, if the beta's this bad, how bad will the finished product be when they've finished adding features? ... um, my sarcasm tag is on, right?

Re:Security is Job 1?

[varmittang (849469)]

It just makes you wonder if their new programming process MS has is better or worst than what it was before, and how it is letting these bugs get though. Was the product really not finished, yes I know its beta but most betas are at least close enough to finish that the programmers are looking for the obscure bugs, not ones that are just flat out sitting in the open like they are with IE 7. Is it the Alpha stage just slapped with a beta name so people will stop hounding them for IE 7.

Re:Security is Job 1?

[FireFury03 (653718)]

most betas are at least close enough to finish that the programmers are looking for the obscure bugs

What surprised me about beta 1 was that they hadn't even finished implementing features that were already on the final product's feature list. Actually, it seemed that they hadn't actually finished deciding what was going on the feature list.

Most people would consider that development stage to be alpha - beta is where you have finished implementing the feature list and you are now after feedback from the cus

Re:Security is Job 1?

[szembek (948327)]

I think you're missing the point that this is a beta test, the point of it is to find the bugs that are inevitably in any program. It is a good thing that they are being flooded with bug reports, because they can now see what needs to be fixed before releasing it. Of course I am not saying the final release will be bug free, but hopefully this preview will be successful enough to help Microsoft create a stable release.

This a good thing

[Beelub (252407)]

Getting bug reports on beta software is good. That's why it's released as beta.

Why is this front page, unless it's just the usual knee-jerk, let's-find-something-bad-to-say-about-Microsoft thing that makes Slashdot less than useful for info about anything about Microsoft.

Yeesh.

Re:This a good thing

[99BottlesOfBeerInMyF (813746)]

Why is this front page

This is on the front page for a number of reasons. First, it is somewhat indicative of the quality of the new software MS is planning to release. Yes, betas will have bugs, but no comment has been made about the remote exploit from MS, nor about the myriad failures to implement CSS properly. The number of bugs found in such a small time, is a meaningful metric and of interest to people here. It indicates to many of us, that the final version is still unlikely to properly implement the spec and that whatever new security practices MS is employing are probably not working to stop vulnerabilities. (Gee, big surprise.) The number of incompatibilities with current banking and other Websites is a useful indication to how much work the Web designers among us are likely to have ahead of us.

Second, because of the design of Windows and IE you can either install this beta for testing, or you can install the current IE, but not both. This means a number of people will install the beta, but end up also using it as an everyday browser, since they don't want to be constantly installing and uninstalling it for testing. Thus, security concerns with this beta may actually be a real concern. Those among us working to secure networks may want to account for this by restricting use of this browser for the time being.

Finally, the number of bug reports is a useful metric for gauging interest in the product, which is also of concern to people here.

Story is inaccurate...

[Manip (656104)]

Calling Tom Ferris a "Security Researcher" is like calling Bill Gates a programmer... He is more a 'Robert Scoble' character. And his discovery of arbitrary code execution is incorrect as per the link: http://blogs.msdn.com/ie/archive/2006/02/01/522682 .aspx [msdn.com]

The guy is not a professional anything, I mean he lists workarounds as 'Firefox'; which just shows how little he understands the security field which he claims to work in (A workaround should be a way to fix or bypass the bug, not a blind pointer at some random other product, even the Linux Security guys know that).

Re:Story is inaccurate...

[FireFury03 (653718)]

I mean he lists workarounds as 'Firefox'; which just shows how little he understands the security field which he claims to work in (A workaround should be a way to fix or bypass the bug, not a blind pointer at some random other product, even the Linux Security guys know that).

In most cases, yes - a workaround should allow you to continue using your current product. However, in some cases the affected product is considered so fundamentally flawed that alternative products must be considered. Even CERT has

Re:Story is inaccurate...

[Manip (656104)]

I'd agree with that in most cases, but people have looked at using this bug to execute and it seems highly unlikely unless we've overlooked something. If you are really concerned enable Data Execution Protection for that extra layer of security. In the interim there is no good reason (security wise) not to use IE 7 and, at least in my opinion, the bug should be fixed in the next beta release. No urgent patch is required. Plus if you feel that IE 7 is insecure then I'd suggest uninstalling, continuing to

Bill not a programmer?

[blakespot (213991)]

Calling Tom Ferris a "Security Researcher" is like calling Bill Gates a programmer...

• Why don't you sit down and code a BASIC interpreter for the MITS Altair on punch tape, asshat. Bill may be many things but he's busted out enough hardcore coding in years past to never lost the title of skilled coder.

blakespot

Bug identification & research for a beta relea

[digitaldc (879047)]

Look at the bright side, now we know what Ferris does on his days off.

Not surprised by the bugs...

[ripbruger (312644)]

...but I downloaded and installed and uninstalled this thing last night. Still seems there are loads of CSS problems in it (couldn't get a navigation menu to work but using :hover pseudo-class). It'll be interesting to see what MS comes up with on this one. It'll be nice to actually have a capable version of IE to test pages against.

It's.. Beta?

[PhrostyMcByte (589271)]

How is this news? Betas are there for finding bugs. If you don't want to risk more than the usual, how about just not using it?

The past builds were also riddled with bugs, and the IE developers are very involved with testers to fix them. It's not like they're just sitting with their hands over their ears yelling "LA LA LA LA I can't hear you!"

Re:It's.. Beta?

[RangerRick98 (817838)]

It'd be one thing if I could have IE 6 and IE 7 installed on the same install of Windows so that I could run them side-by-side. Then I could test stuff in IE 7 but still do the bulk of my Internet browsing with IE 6 which (theoretically) doesn't have these flaws.

Of course, in reality, I use Firefox for everything, so it's a moot point for me, but nevertheless it doesn't make sense to me that someone would release a beta product and have it install over top of a production product.

More annoying than the bugs..

[chou oishii (781237)]

..are the way it: a) Requires you to validate windows to install, b) Requires a reboot, and c) Actually attempts to pass off things like tabbed browsing and a search bar as innovative (really, take a look at the "demo" they bring you to when you first install it).

I'm not asking them to spend money advertising the fact that they're way behind the curve on browsers, just to stop lying to me.

Re:More annoying than the bugs..

[bmajik (96670)]

Requires you to validate windows to install

Ok, this doesn't buy the customer much, but is it really all that big of a pain? Do you just conceptually object to Microsoft asking "is that a valid Windows you're using?"

Requires a reboot

I am not thrilled about this but given the wedding of the browser rendering component and the rest of the user experience ("OS"), i can't say i am surprised. You have to reboot after uninstalling it also, by the way :)

Actually attempts to pass off things like tabbed browsing and a search bar as innovative (really, take a look at the "demo" they bring you to when you first install it).

Consider part of the target market for IE7: People that are happy enough with the features of IE6 that they haven't bothered looking at Firefox yet. For them, tabbed browsing and a search bar are new and innovative. These are things that everyone will potentially benefit from but not all people will seek out and discover by themselves.

Part of the reason my grandfather uses a computer at a public library to do web surfing and write email is because Microsoft brings "cool stuff" away from the realm of the early adopter and puts it in the hands of everyone.

Re:More annoying than the bugs..

[ChaosDiscord (4913)]

I am not thrilled about this but given the wedding of the browser rendering component and the rest of the user experience ("OS"), i can't say i am surprised.

While not surprising, it's still crap.

The core flaw is that under Windows you can't delete a file that is in use. The accepted solution is to set up a little script to run on reboot that deletes the file and replaces it with the new version. That's sad and stupid.

The Unix solution allowing you to delete an in use file solves the problem. It has

Re:More annoying than the bugs..

[DrSkwid (118965)]

> take a look at the "demo" they bring you to when you first install it

where can I download the OpenBSD version ?

So let me get this straight ....

[Brian McCoy (942227)]

people are claiming that a Preview Release ,not even a full beta yet, has bugs? Just wondering what these industry leading geniuses thought they were getting with a preview release? I have been using IE7 for a couple months now, my work provides me with a Technet Plus subscription, and I have had some issues. In most, if not all cases, I have been able to work around them and still rely heavily on Firefox. I will say that Microsoft has finally added some much needed functionality to their browser such as tabbed browsing and keyboard shortcuts which are exactly the same as Firefox's (coincidence, I think not). I guess my point is it's a preview release, it's not perfect and it has bugs, by using beta software you are agreeing to help solve some of the problems before final release, and there will be problems. Just my two cents worth.

Treat IE 7 as IE 6?

[Pascal Sartoretti (454385)]

The problem for Microsoft is that many web applications use the following logic:

if (browser is Internet Explorer) then

emit HTML code that works around the numerous rendering bugs of IE

else (Mozilla, Netscape, Opera)

emit standards-compliant HTML code

With this kind of (flawed) logic, IE 7 will often be identified as IE, and hence be provided with IE 6-specific HTML code, whereas it should have been sent "correct" HTML code. The result may be, well, interesting :-)

I really don't see what Microsoft can do against this. They can't expect millions of web sites to be updated overnight just to support IE 7.

Re:Treat IE 7 as IE 6?

[meringuoid (568297)]

I really don't see what Microsoft can do against this.

Perhaps, for compatibility, they could make the UserAgent string pretend to be Mozilla? Put the real identifier in brackets where the obsolete website scripts don't expect it.

Obviously there's no precedent for this kind of shenanigans at all, but it might be worth a try :)

Re:Treat IE 7 as IE 6?

[kawika (87069)]

Don't let Microsoft off the hook that easily. Most of the problems I've seen with this IE7 beta aren't the "we messed up the implementation" variety. They are the "we still don't support all of CSS" variety.

Microsoft has eliminated several bugs that made it easy to identify IE6 and apply hacks to the CSS. For example, the "* html" selector let you apply CSS rules just for IE because it's ignored by standards-compliant browsers. Now IE7 ignores that too. However, the need for hacks is still there. IE7 still does not implement several important CSS features that necessitated the hacks in the first place, such as min-height.

If Microsoft were to decide that this beta was "close enough" or even if it fixes just the minimum number of things to keep major sites from breaking, that's not going to help. Designers will end up needing an entirely different set of hacks to make up for the fact that IE7 is *still* not a complete CSS2 implementation.

Report Non-Compliance As A Bug

[Xopl (570449)]

I'm really serious about this... I'm not kidding...

The web community should start flooding the bug reporting for the IE beta with reports about CSS and XHTML/HTML standards non-compliance. Anything IE 7 does that isn't in line with web standards should be reported as a bug, by as many people as possible. And we should keep reporting these, daily, until the IE team wakes up to web standards and decides to support them.

Then, webmasters can make one version of the website that works in all modern browsers.

So what if it's a beta?

[SpiritGod21 (884402)]

OK, yeah, I got the point. It's a beta and betas will have bugs. But this isn't IE 1.0 Beta. This is freaking IE 7, and while it's a beta, you'd figure they'd have gotten at least some of these things straightened out in the past 6 versions. I'm not so much frustrated that a beta has bugs, but that even into version 7 they're still having huge problems and potential exploits.

Nasty security flaw that Microsoft missed

[OwlWhacker (758974)]

I was about to post something about bugs being natrual in almost all beta software, then I read the article...

An attacker could exploit the flaw by crafting a special Web page that could be used to crash the browser or gain complete control of a vulnerable system

So, this is actually a relevant article, despite its initial appearance.

We've got some new additions and enhancements to IE, and here we have a flaw that can give an attacker complete control over the user's computer!

I guess this is a taste of things to come in Vista? Evidence that Microsoft's secure code development practices are mostly just verbal pacification?

Re:Nasty security flaw that Microsoft missed

[blowdart (31458)]

We've got some new additions and enhancements to IE, and here we have a flaw that can give an attacker complete control over the user's computer!

Actually you don't. There's a flaw that can crash the browser, but the reporter of this offers no proof that it will result in code execution or the ability to take over a user's computer. Very few buffer overruns result in code execution, and without proof, it's just another crash.

Looking at how the reported went public before the vendor has a chance to respon

Re:Nasty security flaw that Microsoft missed

[zootm (850416)]

Fairly official response [msdn.com] (taken from another comment).

We received reports this morning that a security researcher had found a bug in the IE7 Beta 2 Preview release. This issue reportedly crashes IE and is exploitable to execute arbitrary code on the user's computer. Naturally, we take the security of IE and our users' safety very seriously, so we investigated immediately. We did confirm that the bug crashes IE. However, we did not find that the bug was exploitable by default to elevate privilege and run arbitrary code.

This bug had already been found during our code review and analysis that is a mandatory part of our development process; it was scheduled to be fixed before our next public release. We do not believe this bug is easily exploitable, and as an extra defense, the /GS flag also catches the overrun. This is a compiler flag that tells Windows to watch for some classes of buffer overflows. If Windows sees a problem, it kills the application, in this case IE, instead of running the exploit code. While this is certainly not our primary line of protection, it does offer defense-in-depth to help keep our customers secure.

So it appears that Microsoft's new development practices caught this bug internally before it was caught in the public beta, to find bugs like this. It also seems that the overrun is caught and dealt with (causing a crash as overruns should, but not allowing any degree of "control") by the system they are using for development anyway. Apparently the original article has not proven that the bug could be exploited at all yet anyway, so a response from his end will be required before this can really be seen as anything other than the sort of thing that's to be expected from a beta release.

Error in article...

[Linker3000 (626634)]

Microsoft had no immediate comment on Ferris' alert.

Not so - they tried to post a reply on his site but their browser kept crashing.

Using beta for banking

[ben_1432 (871549)]

What kind of dumb-ass uses a beta browser for their banking anyway? It's not going to kill them to flick back to whatever their regular (non-beta) browser is.

I don't just mean IE either. Firefox in it's pre 1.0 days had a bug where tabs could read form data from other tabs. Like credit card numbers. All the way up to 1.0.

Why aren't beta's being released with some sort of self-setting desktop wallpaper that says "Look dipshit this is a beta product, and not like Google Beta TM, like buggy beta, so spare a seconds thought before you go doing your finances".

In next weeks news: some stupid fuck loses his identity and $20000 minutes after using IE7 Beta to pay his bills, therefore IE7 is bad.

MSIE 7 in the wild

[harmonica (29841)]

Just looked at my logs for the last two days and MSIE 7 has already caused more requests than Opera/8, making it the #4 after MSIE 6, Mozilla and MSIE 5 (yes, grouping could be better for the Mozilla/Firefox family). It's a tech site, so the early adopters can be expected to show up here. Still, that was fast.

The Acid 2 CSS Test

[dshannon (704783)]

The famed acid2 test renders truly badly: http://www.webstandards.org/act/acid2/test.html#to p

From the IE Team Blog

[Pedrito (94783)]

Finally, I'd like to reiterate the importance of the responsible disclosure of security issues. We firmly believe that privately disclosing security issues to software vendors is the best way to keep the users of the world secure.

I'm sorry, but I take issue with this, particularly with a product being beta-tested, but really, with any product. Users need to know what exploits are known. If there are serious, known, security flaws in IE, that may very well affect my decision of whether or not I want to install it on my system. THe idea of keeping it hush-hush doesn't really help anyone.

Gee, its BETA SOFTWARE!

[TheSkepticalOptimist (898384)]

I know many people will just jump down Microsoft's throat for anything they do, they aren't my favourite company either. But I can't be sympathetic to people that complain about beta software.

1) NOBODY is forcing you to install a beta product. If you are curious or impulsive, and feel compelled to install beta software, your doing so at great risk to your security and data. Whether it's Microsoft beta's, Google beta's, or Linux Beta's, you are accepting that risk by the nature of installing beta software (its in the disclaimer)

2) THE REASON for beta software is to open it up to wider testing to CATCH AND FIX Bugs. This is a good thing, that bugs are flowing back to Microsoft. It will force them to fix the bugs and strengthen the product.

3) No, you CAN'T Sue, see 1)

4) Get a life. I mean, if IE 7 was in full release and these bugs were being reported, I would jump on the bandwagon myself and fire a few shots at MS, but this is still beta software, it isn't even a release candidate yet. Its intended for people with a brain to install it at their own risk and test the product, to REPORT bugs is the definition of what Beta software is. Obviously lots of stupid people are installing IE 7!

This is NOT NEWS, this is sad. To report and complain that Microsoft's beta software is full of bugs suggest a complete bias, prejudice, and ignorance towards them without merit or provocation. This is not microsoft screwing up, this is microsoft doing what countless other software companies do, release a beta in order to get feedback and bug reporting in order to fix and strengthen the product.

When FireFox 1.5 beta was released, it was full of bugs, but people praised Mozilla for their innovation and success. I can't stand double standards.

XHTML support

[Xugumad (39311)]

IE still lacks XHTML support of any kind - I don't want to seem picky here, but it has been 6 years. Sure, I can have applications I work on spit out XHTML that's mostly like HTML 4, and send the appropriate MIME type based on the Accept header, but I'd really quite like to see IE support vaguely recent standards, y'know...

Not so fast....

[Savage-Rabbit (308260)]

Do I get mod points now?

... you don't get the mod points until you explain what exactly it is that Microsoft is sucking on?

Re:Microsoft Beta Crap

[masklinn (823351)]

MSIE 7.0 is less stable than MSIE 6.

My my my, how's that possible, that the preview release of a beta version could be less stable as a software released 5 years ago is unheard of, i'd suggest you to sue Microsoft.

Re:Note: Its BETA

[xtracto (837672)]

Oh come on. Its Google. Don't expect it not to have bugs. All its products are BETA.

There you go, I corrected it for you. (no karma bonus checked for all those Gzealots)

Re:Ahh... what a relief...

[Kirsha (201264)]

Yes, specially since Firefox never had any bugs!

Right?