Bickering over vulnerability in Internet Explorer 7
The first vulnerability in Internet Explorer 7, reported yesterday (Thursday), which has been known in IE6 for 6 months has given rise to bickering. Microsoft has now issued its first public response. It claims that the problem lies in neither Internet Explorer 6 nor Internet Explorer 7, despite the fact that the demonstration of the vulnerability uses these browsers as its attack vector. The fault lies with an Outlook Express component in Windows - Microsoft is looking into the matter.
Thomas Christensen, CTO of Secunia, gave his response to heise Security, "Just because a vulnerability stems from an underlying component does not relieve IE or any other piece of software from responsibility when it provides a clear direct vector to the vulnerable component."
For some time Microsoft has pursued a policy of categorising every imaginable security vulnerability as a vulnerability in the operating system, for which Internet Explorer is the primary or only attack vector. This causes confusion and can lead users and administrators to underestimate the seriousness of a problem.
Whilst Microsoft's attitude may be correct from an internal organisational point of view, it does not suit the way users and administrators understand the vulnerabilities and how they protect themselves from exploitation of these vulnerabilities. "In short, Secunia finds it necessary and reasonable to flag Internet Explorer as being vulnerable if Internet Explorer provides a clear direct vector to a vulnerable component, which is included by default in a fresh clean install of Microsoft Windows."
"Hiding behind an explanation that certain vulnerabilities, which only are exploitable through Internet Explorer, are to blame on Outlook Express, Microsoft Windows, or other core Microsoft Windows components seems more like a way to promote security of IE rather than standing up and explaining the users where the true risk is and taking responsibility for the vulnerabilities and risks in IE, which are caused by IE being so heavily integrated with the underlying operating system and other Microsoft components."
The WMF vulnerability, which caused a storm at the end of last year, was also the result of an error in a Windows library. Here too Internet Explorer was the main entry point for the malware which exploited this vulnerability.
- Information on Reports of IE 7 Vulnerability, response on Microsoft's security blog
- First security vulnerability in Internet Explorer 7 [Update], report on heise Security