Secunia refutes Microsoft IE7 flaw claims

Stan Beer
Friday, 20 October 2006 17:57

Your IT - Home IT

Danish security vendor Secunia has hit back at Microsoft's claims that details of the newly discovered flaw in Internet Explorer 7 are innacurate, saying that IE7 is the primary and possibly the only attack vector through which the flaw can be exploited.

According to a Secunia advisory, if a user visits multiple websites using IE7, if one of them happens to a malicious site exploiting the flaw, attackers can gain access any information entered on other sites, such as user names and passwords.

In response to the recent Secunia announcement of the IE7 flaw, Microsoft claimed the IE7 vulnerability is in fact an Outlook Express
vulnerability.

However, in an email to iTWire, the chief technology officer of Secunia Thomas Kristensen disputed Microsoft's assertion that Outlook Express rather than IE7 was the problem.

"This may be true - from an organisational point of view within Microsoft. However, the vulnerability is fully exploitable via IE, which is the primary attack vector, if not the only attack vector," said Kristensen.

"Just because a vulnerability stems from an underlying component does not relieve IE or any other piece of software from responsibility when it provides a clear direct vector to the vulnerable component."