Bugs and Fixes: Internet Explorer 7 Proves Buggy Already
Internet Explorer 7 for Windows XP is finally out. Because it tries to fix or prevent many of the numerous security flaws that hit IE 6, it's arguably the largest bug fix we've seen in quite a while. For that reason alone, I recommend installing the update.
But IE 7 is not a panacea, in part because it still ties in to Windows for some of its work and can therefore pass along threats from buggy parts of the operating system (or other programs). We've seen a number of these types of problems recently, and now three more have been reported.
Less than a day after IE 7's release, Danish security firm Secunia said it had found a proof-of-concept, noncritical bug affecting IE 7. If you browse a malicious site while logged in to another site, an attacker could steal data you have on the logged-in site. Microsoft says the bug actually resides in Outlook Express, but IE 7 can be used as the attack vector, just like IE 6.
You're likewise vulnerable to a nasty, critical Windows bug involving XML, which is commonly used for Web sites and many document types, regardless of whether you use IE 6 or IE 7. Both versions hand off XML processing to Windows proper, where the bug originates. You could be infected with a drive-by download from a malicious Web site if an attacker directs a bunch of garbage data through IE to the newly discovered Windows weak spot. At press time no attacks had yet used this bug, but all currently supported versions of Windows could be hit. If you didn't receive the patch in Automatic Updates, check here.
The new IE does offer more protection than version 6 for another pass-through critical Windows glitch--one that has already proven to be a popular hacker target. This flaw hits the Windows Shell, which displays the Windows user interface. Attackers can employ an ActiveX control to reach the bug via IE (with yet another buffer overflow error) and thereby take over your system. As with the XML bug, all supported versions of Windows are affected.
IE 7 provides additional protection in this case because it displays an opt-in pop-up that requires your approval before running new ActiveX controls. The pop-up won't specifically tell you you're under attack, and if you just click OK as many people are now conditioned to do with many browser notices, you'll get nailed. But it's more protection than you'll get with IE 6, which on an unpatched system will download a malicious payload without warning if you browse a booby-trapped site. Get the fix from here or via Automatic Updates.