MS and researchers split hairs over first IE7 flaw

Found on The Register on Saturday, 21 October 2006

Microsoft claims the vulnerability stems from a flaw in Outlook Express, but security researchers say that since the bug can be exploited via IE7 it is really an IE7 vulnerability.

The flaw is said to stem from errors in the handling of redirections for URLs with the "mhtml:" URI handler. Secunia reports that the same bug was discovered six months ago in IE6 but remains unresolved. The flaw might be used to access documents served from another website, a trick that could be useful in various scam and phishing attacks.

"The issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express," writes Microsoft staffer Christopher Budd on MS's official security response weblog.

I doubt a user will be interested in those fine details after he has been hit through that exploit. Both products come from MS, so it's a mute point discussing the real problem part. This discussion also shows how much of a stand-alone product IE7 is.

Browse all articles« Previous « » Next »