First security vulnerability in Internet Explorer 7
Microsoft has only just released Internet Explorer 7 and already security services provider Secunia has registered the first security vulnerability in the new browser. Surprisingly for a new version of the browser which entailed a significant rewrite, this vulnerability is a carry-over from Internet Explorer 6, described in April 2006. According to Secunia, the vulnerability allows an attacker to scout out confidential information from opened websites.
Secunia has also prepared a website to demonstrate the vulnerability, which, after clicking on a link, attempts to read content from news.google.com. This was successful on a heise Security test computer running a fully patched Windows XP SP2 and the final version of Internet Explorer 7 just released.
The bug, which affects both Internet Explorer 6 and the new version 7 of Microsoft's web browser, is based on incorrect handling of redirects for mhtml:// URLs. To get around the problem, the security services provider suggests deactivating active scripting. Users who wish to wait and do not want Internet Explorer 7 to be installed on their computer automatically at the start of November will find help at hand in an article on heise Security.
- Internet Explorer 7 "mhtml:" Redirection Information Disclosure, security advisory from Secunia
- Demonstration of the security vulnerability from Secunia
- Preventing the automatic Internet Explorer 7 update, article on heise Security
(ehe)