Microsoft Denies Internet Explorer 7 Vulnerability

Yesterday, in the wake of the Internet Explorer 7 final launch, Secunia warned of a vulnerability in the browser. "The vulnerability is caused due to an error in the handling of redirections for URLs with the "mhtml:" URI handler. This can be exploited to access documents served from another web site. Secunia has confirmed the vulnerability on a fully patched system with Internet Explorer 7.0 and Microsoft Windows XP SP2. Other versions may also be affected," revealed Secunia.

Let me clarify the title for a second. Microsoft does not deny that the vulnerability exists. What it denies is that the vulnerability resides in Internet Explorer 7 running on Windows XP SP2 systems.

"While it is true that a vulnerability exists, the vulnerability is not actually in any components of IE7, although the attack vector makes it appear that way. Our friends at the MSRC have the issue under investigation and have posted a blog entry with more details on which component is affected and what you should do about it," commented Christopher Vaughan, Microsoft Lead Program Manager.

Christopher Budd over at the Microsoft Security Response Center, claims that the reports of the IE7 vulnerability are technically inaccurate. Internet Explorer 7 is just a vector for the attacks. In fact, Microsoft claims that no version of Internet Explorer is affected and that, actually, the vulnerability impacts Outlook Express exclusively.

"While we are aware that the issue has been publicly disclosed, we're not aware of it being used in any attacks against customers. We do have this under investigation and are monitoring the situation closely and we'll take appropriate action to protect our customers once we've completed the investigation," stated Budd.