BREAKING: The Bug Report That Would Not Die: Dino’s Finding Works In IE7

Thomas Ptacek | April 24th, 2007 | Filed Under: Apple, Defenses, Disclosure, Industry Punditry, New Findings

This just in: anonymous sources at 3Com confirm Dino’s QuickTime vulnerability is exploitable in IE7 and IE6 on Windows XP.

Watch this space for details (Is XPSP2+DEP reliably exploitable? You can’t run IE7 on XPSP1 —- so, probably! Vista?) as they’re made available to us.

I think we can now safely conclude: this is a hell of a finding. Way to go, Dino!

Irony Alert

Consider the possibility that the one platform this vulnerability won’t work against is Windows Vista.

[Update: 4/25]

As usual, the comments on this post are much more valuable than anything I’ve written. Rosyna Keller and Skywing are discussing the protection mechanisms in IE6/IE7 (anyone know what the equivalent protections are in Safari? Oh, wait…).

More importantly, our source at 3Com has re-confirmed that IE6 and IE7 are vulnerable to this attack. More details about the vulnerability as they become available.

[Update: 4/27]

I’m simply deleting comments that say things like “XXX is not vulnerable” or “YYY is vulnerable” without evidence.

Viewing 30 Comments

Trackbacks

close Reblog this comment
blog comments powered by Disqus