Cenzic 232 Patent
Paid Advertising
web application security lab

IE7.0 is Coming

I got this from a co-worker today: IE7.0 is coming and it knows if you’ve been bad or good so be good for goodness sake. That means if you happen to run any sort of web-application (I sure hope so or you’re on the wrong website) you had better start testing now, and I do mean at this exact second that you are reading this, if you haven’t already.

There are a number of compatibility changes that affect a number of applications - the most obvious and annoying ones are where people (in JavaScript) ask if the browser you are using is not IE6.0 (because if it isn’t then it’s disabled - figuring that 6.0 is the latest revision). Bad programming via forgetting about future compatibility and hard to get around unless you know what you’re doing. Also this will mark a big change for the Cross Site Scripting Cheat Sheet as a large number of the exploits will change (particularly the ones that use the JavaScript directive in images). Not that that is a particularly good vector, and I will keep it on there, but know that it’s changing.

There are lots of other changes, so if you haven’t tested your application yet, you better start and if you don’t have one to test, go get one so you can partake in some of the upgrade fun.

6 Responses to “IE7.0 is Coming”

  1. Kyran Says:

    Commenting from IE7. :P
    And I don’t run any sort of web app. I guess I’ll go home now. :(
    I wonder if any new XSS attack vectors will show up with IE7.

  2. RSnake Says:

    Hahah, okay okay, you can stay Kyran, but anyone else who isn’t running a website just move along now. ;)

    I’m sure with the new technology built into IE7.0 it will have a host of new/unique issues. What I’m most interested to test is the anti-phishing filters actually. I haven’t had time to play with those at all.

  3. Kyran Says:

    From my understanding, all it does is check the domain name against a list.

  4. Robert Says:

    One of the things about IE7 that impressed me most was when I was doing my RSS and Atom Feed vulnerability research. I discovered some issues in beta 1, emailed microsoft and the replied back with ‘try beta 2 it came out yesterday’ and the issues that I discovered were fixed!
    It was really cool being impressed like that, looks like their security initiative isn’t just marketing hype after all ;p

  5. Jeremy Threshy Says:

    Speaking of IE7, I just read an article about Windows Longhorn Server’s complete disgusting security: http://neosmart.net/blog/archives/272

    It seems it never asks you to set an admin password even after creating an active directory - and doesn’t have any password complexity requirements….
    lol, they’re sad.

  6. RSnake Says:

    Eesh… well thankfully that’s something that probably can be fairly easily fixed. I got to admit though, changing my password every 30 days for accounts I don’t consider to be secure in the first place is pretty obnoxious. Something has to replace passwords eventually.