Secunia reports first flaw in Internet Explorer 7

Secunia reports first flaw in Internet Explorer 7

Software Company Microsoft has just launched the final version of the Internet Explorer 7 web browser and we already have a security flaw reported in it.

Internet Explorer 6 has seen so many patches and fixes in the last couple of years that there is no surprise that IE7 has carried over some of the existing flaws from it.

Secunia has reported that the Internet Explorer 7 has a “less critical” flaw that can be used by identity thieves and other criminals to snatch confidential information from a PC.

Microsoft has been claiming that the updated Internet Explorer edition is a lot secure version and users should upgrade to it as soon as possible.

Windows Vista contains an enhanced version of this browser and it is due to be shipped to Microsoft’s corporate customers starting next month.

[SECUNIA] Response to Microsoft claims regarding IE vs. OE vulnerability

Hi,

Microsoft claims the recent IE7 vulnerability is an Outlook Express vulnerability:
http://blogs.technet.com/msrc/archive/2006/10/19/information-on-reports-of-ie-7-vulnerability.aspx

This may be true – from an organisational point of view within Microsoft. However, the vulnerability is fully exploitable via IE, which is the primary attack vector, if not the only attack vector.

Just because a vulnerability stems from an underlying component does not relieve IE or any other piece of software from responsibility when it provides a clear direct vector to the vulnerable component.

For a long time Microsoft has had a policy of tagging various vulnerabilities where IE was the primary or only attack vector as operating system vulnerabilities. This does lead to some confusion and may cause users and system administrators to view the issues as less significant.

Again, while it may be correct from an organisational (and PR?) point of view within Microsoft, this does not fit into how it is perceived by users and administrators and how they are going to defend against exploitation.

In short, Secunia finds it necessary and reasonable to flag Internet Explorer as being vulnerable if Internet Explorer provides a clear direct vector to a vulnerable component, which is included by default in a fresh clean install of Microsoft Windows.

Hiding behind an explanation that certain vulnerabilities, which only are exploitable through Internet Explorer, are to blame on Outlook Express, Microsoft Windows, or other core Microsoft Windows components seems more like a way to promote security of IE rather than standing up and explaining the users where the true risk is and taking
responsibility for the vulnerabilities and risks in IE, which are caused by IE being so heavily integrated with the underlying operating system and other Microsoft components.

SA22477:
http://secunia.com/advisories/22477/

SA19738:
http://secunia.com/advisories/19738/

Vulnerability test:
http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/

Please do not hesitate to contact me if you need further information or comments regarding this or other vulnerability related issues.

–
Kind regards,

Thomas Kristensen
CTO

Secunia
Hammerensgade 4, 2. floor
DK-1267 Copenhagen K
Denmark

Phone: +45 7020 5144
Fax: +45 7020 5145
Direct: +45 3338 7602
Cell: +45 2690 7565