Hosting News »

27 May, 2022 – 4:32 am |

“We made a decision to partner with GlobalSign, Europe’s longest serving Certificate Authority, as it offers the most trusted and inexpensive Code Signing and SSL security options now available in the digital certificate market,” Janmedia hosting director Alicja Baran related in an announcement. “GlobalSign’s digital certificates complement our existing product portfolio and we are anticipating […]

Read the full story »
Business News
Home » Other

misplaced ‘&’ caused latest IE exploit

Submitted by on 9 January, 2022 – 4:33 am

A security hole in Net Explorer that opened the browser to hackers since early July was caused by a single typo in Microsoft’s code. An errant ampersand ( “&” ) took the blame for the exploit, admitted Microsoft in a blog revealed Tues. at its Security Development Lifecycle ( SDL ) site. Michael Howard, a security program boss at Microsoft, explained in his blog the typo corrupted the code of an ActiveX control utilized by the browser.

The control was made by Microsoft using an older library of code, which Howard admitted has failings. Due to those failings, the typo caused the code to scribble untrusted information, exposing the browser to the bad blokes. Outside of its regular Patch Tues. routine, Microsoft issued an emergency fix for IE, which it announced would block tries to exploit the issue in ActiveX controls.

Development tools like Microsoft’s own Visible Studio use the same library of code, known as Active Template Library ( ATL ). On the same day it released the emergency patch for IE, the company also released a Visible Studio fix. Howard asserted the typo would’ve been difficult to identify in an analysis of the code, and that none of Microsoft’s code research strategies would have revealed it either.

“I’ll give you another clue – it’s an one personality typo. The hole was originally revealed earlier in the month by a couple of German analysts. Thomas Dullien ( AKA Halvar Flake ), Boss man of Zynamics GmbH, and his mate Dennis Elser detailed their discovery in a blog. So what will Microsoft do to protect against future typos? In his blog, Howard recognized the requirement to wash up the company’s coding process.

He said that Microsoft will update the tools it uses to find these sorts of blunders. The company will also need its programmers to use the newer ATL code. During the past, Microsoft never told its programmers what to use.  But asserts Howard in his blog, “We’re going to modify that.

Tags: , , , , , , , , , ,

Leave a comment!

Add your comment below, or trackback from your own site. You can also Comments Feed via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> 

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.