Security Vulnerabilities in Internet Explorer 7

Microsoft is far from perfection with the security of Internet Explorer 7, and this status quo is destined to perpetuate itself. This affirmation does not belong to me but to Rob Franco, IE Lead Program Manager. Via the voice of Rob Franco, Microsoft is expressing its position in relation to the phishing vulnerabilities reported by Secunia. "There have been a few posts on ways to steal data or spoof URLs in IE7 but they really don't detract from a very simple truth: IE7 will be more secure than IE6 was and frankly, comparisons to other browsers are still too early to be objective," stated Franco.

A guarantee of increased security is what Microsoft refers to as a smaller attack surface for Internet Explorer 7 in comparison to its predecessor and re-engineering the remaining attack surface in order to bulletproof the browser. "Reducing attack surface is always a good security strategy but the security research community will double-down their efforts on our remaining attack surface and on non-default configurations. That means that there will be security bugs and we will build fixes for those bugs," added Franco.

On November 14, Microsoft released a cumulative security update for Internet Explorer that resolved issues related to versions 4 and 6 of MSXML, an ActiveX control that was never installed in Windows Vista and Internet Explorer 7.

"You also may have heard about the address bar spoofing bug. The bug works because the address bar now gets focus when you open a new tab or window to about:blank, and by default, the selection is scrolled all the way to the end of the URL. The idea of putting the focus in the address bar was intended to make it easy for you to start typing the address of a site that you want to visit," explained Franco.

Microsoft will also deliver a patch for the redirection bug in MHTML, an Outlook Express protocol that manages HTML files. But IE7 users that are not actually logged into their banking accounts during an attack are safe.

"I know that expectations are high for this release and I think we should keep them high but it's still software so we have to be prepared for some bugs and the related fixes," concluded Franco.