REDMOND, WA — Within 24-hours of the release of Microsoft’s much anticipated and long awaited internet browser update to Internet Explorer 7, some were celebrating and others were claiming to have found its first vulnerability — a vulnerability left unpatched from version the previous release.Christopher Budd, a security program manager at Microsoft, posted to the company’s Response Center blog that the reports of such an unpatched vulnerability are incorrect and that the flaw in question does not belong to the browser but, in fact, is associated with the Windows operating system, itself.
The response did not earn praise from Secunia chief technology officer Thomas Kristensen, who insisted that “Hiding behind an explanation that certain vulnerabilities, which only are exploitable through Internet Explorer, are to blame on Outlook Express, Microsoft Windows, or other core Microsoft Windows components seems more like a way to promote security of IE rather than standing up and explaining to users where the true risk is and taking responsibility for the vulnerabilities and risks in IE.”
Visitors to the Slashdot and Secunia websites learned about the alleged Arbitrary Content Disclosure vulnerability less than a full day after the much anticipated browser update was released. Secunia claims that it located the known flaw after running standard tests on the update and Kristensen indicated surprise that it had not been repaired before becoming available to the public.
Although Secunia deemed the vulnerability “less critical” since it does not allow remote access to the flawed system, it also pointed out that the vulnerability still puts users at risk since phishing and spyware attacks can be launched using it.
According to Budd’s blog post, the point of entry is not in IE 6 or 7, but in Outlook Express. He insists that Microsoft is aware of and researching the problem but has not heard of it being used in any attacks.
Secunia is not reassured by Budd’s words, with Kristensen stating that “Just because a vulnerability stems from an underlying component does not relieve IE or any other piece of software from responsibility when it provides a clear direct vector to the vulnerable component.” In this case, Secunia maintains that exploiting IE would be the most likely method used in a malicious attack.
Aside from the unpatched soft spot, IE contains a phishing filter, tabbed browsing, shrink-to-fit printing, a customizable search box, and a design that preserves screen real estate for web browsing instead of browser options. The browser will be available in all supported languages, with Arabic, Finnish, French, German, Japanese, and Spanish language versions shipping next and remaining languages becoming available between November and January.
Those interested in downloading the newest Internet Explorer browser may do so from www.Microsoft.com/ie.
