Serious flaw revealed in one-day old IE7

By Stan Beer
Friday, 20 October 2006 08:07

Home IT

Danish security firm Secunia has discovered a serious vulnerability in Internet Explorer 7 within one day of the browser going live to the market.

• Your IT
• Business IT
• IT Industry
• IT People
• IT Policy
• Reviews
• Announcements
• Science

According to the Secunia advisory, the IE7 vulnerability can be exploited by malicious people to disclose potentially sensitive information.

The advisory states that the vulnerability is caused due to an error in the handling of redirections for URLs with the "mhtml:" URI handler. This can be exploited to access documents served from another web site.

What that means is that if a user visits multiple websites - as users often do - if one of them happens to a malicious site exploiting the flaw, the attackers can gain access any information entered on other sites, such as user names and passwords. If one of those sites happens to be an online banking site, that could present a serious problem.

Secunia says on its website that it has confirmed the vulnerability on a fully patched system with Internet Explorer 7.0 and Microsoft Windows XP SP2. Other versions may also be affected.

News of the vulnerability is likely to be an embarrassment to Microsoft, which has largely promoted IE7 as being a much more secure browser product than its predecessor. However, the very same flaw exists on IE6 but has not been patched for the upgraded version.

Microsoft plans to push IE7 to Windows XP users through its automatic update system during November. However, users will have a choice to accept the update or to opt out.

At the time of writing, Microsoft had not responded to the security alert.