IE 7’s First Security Hole

Internet Explorer 7 hasn’t been available for 24 hours and already a security vulnerability has been found.

The vulnerability was first posted on Thursday morning by Secunia, a security Web site.

The vulnerability is caused by an error in the handling of redirections for URLs with the “mhtml:” URI (Uniform Resource Identifier)  handler.

MHTML, or MIME HTML, is a combination of multiple elements, often media files, linked externally in an HTML page.

This particular vulnerability can be exploited to access documents served from another Web site.

Secunia has a test to confirm the vulnerability. The company has so far confirmed it on a fully patched machine running Windows XP, Service Pack 2.

In a blog posting to the Microsoft Security Response Center (MSRC), Christopher Budd, security program manager of MSRC, said the flaw is not in the browser, but a Windows component used in Outlook Express.

“While we are aware that the issue has been publicly disclosed, we’re not aware of it being used in any attacks against customers,” he wrote.

“We do have this under investigation and are monitoring the situation closely and we’ll take appropriate action to protect our customers once we’ve completed the investigation.”

The solution for now is to disable active scripting support until Microsoft issues a patch. The question is when that will be, as this has been a known issue for three years.

The security and bug tracking site SecurityFocus first identified the problem in November 2003.

“The question is why didn’t someone discover this vulnerability earlier, and not just Microsoft,” said Joe Wilcox, senior analyst with JupiterKagan. “The browser has been in testing, with multiple release candidates, for months. Is it convenience or coincidence, that bugs were discovered on launch day and not sooner?”

News Around the Web