An IE7 Security Vulnerability?
Some people are discussing a recently announced security vulnerability that they claim is found in Internet Explorer 7 on Windows XP SP2 systems.
While it is true that a vulnerability exists, the vulnerability is not actually in any components of IE7, although the attack vector makes it appear that way. Our friends at the MSRC have the issue under investigation and have posted a blog entry with more details on which component is affected and what you should do about it. If you’re curious about this vulnerability, I encourage you to read up about it there.
Thanks,
Christopher Vaughan
Lead Program Manager
Comments
Anonymous
October 19, 2006
Thank you for the information on this security problem.Anonymous
October 19, 2006
MS have commented on the following vulnerability: IE 7 Internet Explorer 7 "mhtml:" RedirectionAnonymous
October 19, 2006
Fact is that this vulnerability is exposed through IE (7 and below). For those that don't understand the actual issue at hand: Outlook installs a pseudo-protocol mhtml:, now when you do an XMLHttpRequest to a certain URL on your own domain, and that URL sends a redirect using this mhtml: pseudo-protocol the same-origin policy is not respected anymore. My personal opinion is that this vulnerability will be very hard to be utilized without some other existing vulnerability in the site in question which would give a hacker control over sourcecode on the server itself in which case this vulnerability just comes to naught. So basically I just consider this a spec-violation without any security-related consequences.Anonymous
October 19, 2006
this test http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/ says "Your browser is vulnerable! The test retrieved content from news.google.com in the context of your browser. This actually means that if you were logged into your bank account, any web site you are visiting would be able to retrieve confidential data from your bank. This could also be used to retrieve personal settings entered on sites like eBay or Paypal." if it's true, this is bad for a product advertised as "secure" ( i think the "vector" argument isn't an excuse, you should be pro-active and not re-active with this issues )Anonymous
October 19, 2006
Thank you for posting this, especially on a day when many months of hard work were finally revealed. It must take a lot of courage to be flagged by the world as having released an insecure product and still be able to be transparent. The whole IE team needs to be commended for this persistence and willingness to face a brutal audience.Anonymous
October 19, 2006
"Fact is that this vulnerability is exposed through IE (7 and below)." - Tino Zijdel So does this mean the "vector" issue has been duplicated in previous versions of IE? How long has this "mhtml: pseudo-protocol" existed in OE? I would think the greater concern isn't if it's a security risk, as much as if it is not duplicated in previous IE versions, then why only IE7? I'm sure the investigation will determine the answers and hopefully a hotfix will be available prior to Nov 1st. I suspect we will see a public disclosure of several new "vulnerabilities" in the coming weeks.Anonymous
October 19, 2006
Microsoft is 100% secure. People are just trying hard to put you down! You ought to be commended for your industry-leading approach to patching bugs and security. Windows XP even connects to sa.windows.com every time we do a local search on my drive, just to make sure we're being good. Media Player connects and sends info for no logical reason after the playback of every video, too. I love Microsoft! They always keep an eye out for me, and IE7 is the most secure product of all! We will be here a year from now and there will be ZERO problems with security - that is certain!!!Anonymous
October 19, 2006
Tony: It's not "only IE7". It's exposed via IE6 as well.Anonymous
October 19, 2006
What difference does it make which Microsoft team introduced this serious vulnerability? The net is that users of IE7 are vulnerable and no fix is available. At the same time users of Firefox or any other browser are safe from this attack. Go figure.Anonymous
October 19, 2006
this IE 7.0 IS THE FASTEST YETAnonymous
October 19, 2006
The comment has been removedAnonymous
October 19, 2006
I wonder if the makers of this vulnerability were just waiting for the product to release... As long as sick, stupid, distorted hackers live, and as long as computer illiterate folk live who need conveniance, the contending forces of the two will cause vulnerabilities to be discovered. I for one support Microsoft, and shall support Microsoft, even though they have a few vulnerabilities. Any company that provides a good level of support for multiple types of computers on vast amounts of otherwise-incompatible hardware gets my respect. Certainly not some 'we only run on our own hardware' company, or an open-source project as stable as a sandpit. But go ahead. Attack Microsoft. It's not like there's actually people on the other end of this blog, reading your kind or otherwise posts, who try to make a living the best they can just like you do. </sarcasm>Anonymous
October 19, 2006
The comment has been removedAnonymous
October 19, 2006
The comment has been removedAnonymous
October 19, 2006
Congratulations for the super cool browser but as of now I'm experiencing malware on the ie7 home page. In all web browsers.Anonymous
October 19, 2006
@ Dawood: uninstall or update your Antivirus software. It's a false positive case.Anonymous
October 19, 2006
The problem it's not about a new vulnerability. But how long will it take to fix it in IE7? If it's fixed in 1 week, IE7 is a very great upgrade but if it's not, IE7 is a very bad work. When do you think it will be fixed ? Regards.Anonymous
October 20, 2006
The comment has been removedAnonymous
October 20, 2006
The comment has been removedAnonymous
October 20, 2006
Now they lay all the blame on OE team. Very good. When I told them that IE7 has broken support for .mht files with chinese characters in names, they told me it's Outlook's fault too. I then wonder why IE6 works fine with the same Outlook...Anonymous
October 20, 2006
The comment has been removedAnonymous
October 20, 2006
@Grant I think it's obvious. Don't spoil it. I posted such comments when this blog only started, but they were deleted.Anonymous
October 20, 2006
So how do I get rid of this mhtml and outlook express? I don't use outlook express anyway. which dll do I delete?Anonymous
October 20, 2006
Well, as a SeaMonkey and Firefox fan, I have been testing IE7 for the last several weeks. I have been very impressed and, in fact, have minimized using SeaMonkey... So, I have 3 browsers on my system (IE7, Firefox 2.0, and SeaMonkey 1.0.5). As a web developer, I must have several browsers to use for testing. As I said, I have been very impressed with IE7. Besides this security FUD (Remember FUD when it was MS using it to scare people away from Java? Fear-Uncertainty-Doubt?), I cannot understand why it takes so long to open a new tab. In both Firefox and SeaMonkey, tabs are instantaneous. In IE7, there's a long pause (on the order of seconds -- not minutes!) -- much longer than the instantaneous tabs of Mozilla. What's up with this? Is this where MS reports back to King Bill? Well this is (what the Japanese refer to as) bachi (sp?). I suppose Buddhists refer to it as Kharma. Me, I just call it "deserving." :) Another disappointment (despite, as I said, being impressed overall) is that certain Drupal themes do not display properly in IE7. Again, MS has been resistant to comply with web standards... But IE7 is closer than any previous internet-exploding browser by MS, yet... My browser history is: Netscape 2.0, Netscape 3.0, Mozilla, SeaMonkey, Firefox, and (soon, hopefully) IE 7. Good luck in resolving the OE/IE issue... One thing is certain... whichever team holds ownership, ultimately it is Microsoft who holds ownership of the issue -- and whether resources will be allocated to correct the issue... So that we may replace FUD with HUG (Huge Ugly Giant)! <g>Anonymous
October 20, 2006
The comment has been removedAnonymous
October 20, 2006
"The net is that users of IE7 are vulnerable and no fix is available. At the same time users of Firefox or any other browser are safe from this attack. Go figure." There is no reason for the "media" (used very lightly here) makes it appear that the weakness 'was discovered' in IE7. And yes, FireFox/others are safe from this, but FireFox has its own security issues. So it's not like they're innocent (some security issues going back several years).Anonymous
October 20, 2006
Maybe it's just me, but the Secunia test does NOT work on my IE 7. I am using an older version, and protected mode is on (it didn't work with it off either however). I'm on Vista RC2. Maybe I was just lucky, but this security alert seems a little dubious.Anonymous
October 20, 2006
@Confused: IE7 Vista RC2 (build 5744) passes that test with "Your browser does not appear to vulnerable to this particular exploit."Anonymous
October 20, 2006
All versions of IE that can handle XMLHTTPRequests AND have some vestige of Outlook Express installed are "vulnerable" as it is the OE dll that has the problem: IE just hands it to OE. Personally, I thought I'd excised all elements of OE from my system as I hate it with an absolute passion and always have (the only possible benefit from using it was the newseader, but then there was Netscape 4.x with a far superior one), but that must have been in a previous machine build.Anonymous
October 20, 2006
@Aedrin >"The net is that users of IE7 are vulnerable and no fix is available. At the same time users of Firefox or any other browser are safe from this attack. Go figure." >There is no reason for the "media" (used very lightly here) makes it appear that the weakness 'was discovered' in IE7. And yes, FireFox/others are safe from this, but FireFox has its own security issues. So it's not like they're innocent (some security issues going back several years). Yes. They shouldn't have said it was "discovered". They should have told the truth: "There was vulnerability in OE that was making IE vulnarable. And Microsoft knew about it. And did nothing. Now they release IE7 and speak about security. It's perfect time to remind people haw Microsoft hadles security. Unless being reminded they can errorneously think that IE7 is fresh and secure." You can laugh, but many people really think that the new program versions are released "fresh" without known bugs or holes.Anonymous
October 20, 2006
So the next time FireFox is on the news, there should also be an article: "FireFox still contains numerous memory leaks and bugs and didn't do anything about it in the new version!" A program has bugs, what blasphemy. Microsoft can't fix every single little loophole/bug? They should be shot! Unless you work at Microsoft (in one of the development departments) I don't think you can assume that they don't care. There is a lot more to it than just fixing it. We can keep this going on and on. But at the end of the day, all programs may contain bugs and/or security issues. Small companies can fix this easily, while it takes more time as the company gets bigger. No matter how unfair you think it, this happens everywhere and with everything. Perfection may be strived for, but will never be attained. Sure, Microsoft could rewrite their rendering engine/browser to start fresh. But wait, didn't someone else do that too? Oh yes, Netscape. What happened to them? Exactly. If you find Internet Explorer/Microsoft so horrible, why bother complaining to them? What do you say, you have to develop for it? Oh, I see. This is part of your job then. And if it is your hobby, stop doing it. Nothing is perfect, with every platform/framework you have to remember that bugs exist and you have to work with this.Anonymous
October 20, 2006
I'm not too concerned with this 'vulnerability' and I'm tired of Firefox anyway. I like IE 7 alot. Keep up the updates though!Anonymous
October 20, 2006
The comment has been removedAnonymous
October 20, 2006
@MacHershell: The most common performance issue for creating new tabs relates to plugins. Do you have any toolbars/BHOs/Explorer bars installed? What type of machine do you have? For architectural reasons IE7 maintains one instance of each plugin for each tab (any other design would mean rewriting all of the existing plugins). This means that if you have a lot of plugins installed, you'll experience slower performance than you would otherwise. My machines take well under a second to spawn a new tab with two or three plugins installed at any given time.Anonymous
October 20, 2006
Can you help me to clear up the following issue or address me to a right person/group/site. MS security bulletin MS06-055 itself states that XP SP2 is affected, and you need to download the update. But if a person tries to install the update on XP SP2 machines running IE 7, it won't install. Can it be clarified in the bulletin? Thank you Marina Levshteyn marina @ inspectsoft.comAnonymous
October 20, 2006
@marishalev: IE7 was not released at the time of MS06-055. It is my understanding that this is the reason why XP SP2 with a beta/RC IE7 was not specifically listed. The release version of IE7 should not be vulnerable (haven't tested it myself). So why specifically mention in a security bulletin that a product relased afterwards is not vulnerable? To me that doesn't make sense. BTW: To me the timinig of the secunia advisory looks just like an attempt to grab attention.Anonymous
October 20, 2006
The moral of the IE7 story: you can't polish a turd.Anonymous
October 21, 2006
Marina: we specifically mention in a blog post that IE7 is not vulnerable to MS06-055. That release was designed for people running XPSP2 without IE7 (ie, at the time, most people). See our blog post here: http://blogs.msdn.com/ie/archive/2006/09/29/777193.aspx -ChristopherAnonymous
October 21, 2006
YOU people from IE team at microsoft, YOU said that IE is so deeply inside windows... remember of that ?! And now there is a flaw in IE..(OE was usually shiped with IE at the time IE was not a part of the OS) You says "wait a second, it not IE, it's OE !!!" ... so deeply inside OS...Anonymous
October 21, 2006
The comment has been removedAnonymous
October 21, 2006
So. Will it be fixed ? Or must I wait for the XP Sp3 (2008) ?Anonymous
October 22, 2006
I am a developer and from a standards stance I don't like IE I wish the corporate world used another well known browser...Anonymous
October 22, 2006
Marina- historically we (we as in Microsoft) haven't referred to products in pre-release in our security bulletins (for instance, we don't discuss Windows Server 2003 Service Pack 2 Beta either). MS06-055 was released prior to IE7, so that's why it didn't refer to IE7 specifically. Now that IE7 is out, you should expect that future bulletins to differentiate if necessary. I will talk with some other folks about if we should go back and retro-actively update bulletins to show whether or not IE7 is affected so we are clear for folks like yourself. The only question is, of course, how far do we go back and update bulletins? Thanks and keep those questions coming. I'm happy to respond. -ChristopherAnonymous
October 22, 2006
If this is not an IE issue, why are machines with IE 7 beta 2 not affected, then immediately affected upon upgrading to IE 7 RTM?Anonymous
October 22, 2006
@Bob: This issue is not in IE, and hence it exists without regard to IE version. IE7 Beta 2 on XP is an affected platform.Anonymous
October 22, 2006
best post on this yet -- http://blogs.zdnet.com/Bott/?p=161Anonymous
October 22, 2006
The comment has been removedAnonymous
October 23, 2006
Christopher, >The only question is, of course, how far do we go back and update bulletins?< I understand. Maybe just put some kind of disclaimer/notification on front page of Microsoft Security Bulletins summary so it can be more visible. And thank you so much for your reply. It helped me a lot. MarinaAnonymous
October 23, 2006
@EricLaw On a Windows 2003 machine with IE 7 beta 2, the Secunia test return not vulnerable. On the same machine having upgraded to IE 7 RTM, the Secunia site returned vulnerable. This is something I witnessed with my own eyes (and my own mouse clicks).Anonymous
October 24, 2006
I'm a big fan of IE7 and MS products in general, but I still feel it is disingenuous to pass this off as someone else's problem. Many of the vulnerabilities exposed by IE have in fact been due to exposure in ActiveX controls. I have no problem with ActiveX in general and have written my own IE controls, but the fact is ActiveX is the weak link in IE's security chain. You have to be very careful deciding to install a control on your machine. Which is why I believe IE bears responsibility here... I didn't install mshtml on my machine, it came with Windows, as did numerous other controls. To live up to the "secure by default" mantra, IE needs to proactively restrict access to these controls UNLESS IE IS WILLING TO VOUCH FOR THEM. I realize that IE and MS have put a lot of effort in trying to certify them. But in this case they failed. My machine is vulnerable because IE is installed, and IE should take responsibility.Anonymous
October 26, 2006
hola buenos dias alguien me puede guiar no he podido ingresasr a ver mi Transcript con la version de internet explorer 7.0.5 MCP - Microsoft Certified Professional Bogota Colombia https://mcp.microsoft.com/authenticate/ValidateMCP.aspx Transcript ID : 719607 Access Code : Microsoft gracias EXITOS ATT JOSE ARMANDO CAMACHO NAVARRETEAnonymous
October 26, 2006
The comment has been removedAnonymous
October 26, 2006
On this page, I have 121 warnings in the XHTML validator.Anonymous
October 30, 2006
I've been using IE7 for a while, only thing I find strange is when I leave my online banking, it hangs up for quite a while. This make me nervous (Real nervous if I had a lot of money)