Secunia refutes Microsoft IE7 flaw claims

Stan Beer
Friday, 20 October 2006 17:57

Your IT - Home IT

Kristensen chided Microsoft for not admitting the IE7 role in the exploitation, saying it will lead to confusion among users and systems administrators.

"For a long time Microsoft has had a policy of tagging various vulnerabilities where IE was the primary or only attack vector as operating system vulnerabilities. This does lead to some confusion and may cause users and system administrators to view the issues as less significant," said Kristensen.

"Again, while it may be correct from an organisational (and PR?) point of view within Microsoft, this does not fit into how it is perceived by users and administrators and how they are going to defend against exploitation.

"In short, Secunia finds it necessary and reasonable to flag Internet Explorer as being vulnerable if Internet Explorer provides a clear direct vector to a vulnerable component, which is included by default in a fresh clean install of Microsoft Windows.

"Hiding behind an explanation that certain vulnerabilities, which only are exploitable through Internet Explorer, are to blame on Outlook Express, Microsoft Windows, or other core Microsoft Windows components seems more like a way to promote security of IE rather than standing up and explaining the users where the true risk is and taking responsibility for the vulnerabilities and risks in IE, which are caused by IE being so heavily integrated with the underlying operating system and other Microsoft components."

According to Kristensen, the vulnerability highlighted by the security company in IE7 was underlined by the fact that it does not affect browsers from vendors other than Microsoft.

"Firefox and Opera can't be exploited in a default configuration," said Kristensen.

"We have not seen any documentation or indications about other vectors to this than IE. It is of course possible that other third party applications (or Microsoft applications) use this functionality but even if they did it isn't certain that it is possible to exploit it for the same purpose as in IE."