According to security firm Secunia, the just-released Internet Explorer 7
contains a "Redirection Information Disclosure" vulnerability, which allows one site to fetch data from another site through the browser, which opens it up to all kinds of cross-site scripting (XSS) attacks. Interestingly, the same vulnerability has been
known and unpatched in IE6 since April. It's one thing not to patch an old browser, but seems quite another to release a brand new browser with the same vulnerability that you've been aware of for six months. If you're running Internet Explorer and want to see the exploit in action, Secunia has set up a
demo page.
Tags: exploit, ie, ie7, internet explorer 7, InternetExplorer7, microsoft, redirection information disclosure, RedirectionInformationDisclosure, secunia, security, vulnerability, windows
Tumblr 101: Tips And Tricks To Get Started
WATCH: Shredding On The Google Guitar!
Comments
7
Subscribe to commentsnaevusOct 19th 2006 2:54PM
and ie7 web site seems to be affected with this vulnerability!!!
http://www.ranzanici.com/2006/10/19/go-to-ie7-website-and-get-a-virus
Gardiner WestboundOct 19th 2006 4:49PM
Out less than 24-hours and IE7 already needs a patch!
NicholasOct 20th 2006 12:46AM
This is not an exploit with IE7; it's actually a bug in an Outlook Express file-- you can prove this by running the sample code in IE6 as well. Microsoft is working on it.
nitestrikeOct 20th 2006 1:12AM
I ran the demo on my test XP install before and after the IE7 final release and got a positive vulnerability both times. But I ran it on Vista with Office 2007 installed and the demo failed. another indication it is not IE7 itself that would need to be patched.
JBOct 20th 2006 12:21PM
Jordan -- When are you going to blog about the fact that the flaw was not IE, but Outlook Express. Seems like Secunia was trying to be a little too opportunistic for some free publicity. They should be called out on not doing their homework instead of blaming MSFT.
Jordan RunningOct 20th 2006 12:44PM
JB: Regardless of where the actual vulnerability lies, the exploit exists in IE7, which millions of people downloaded this week. In my opinion, whether it's the fault of Outlook or not doesn't matter if people get bitten by it while they're using Internet Explorer, not Outlook.
K9MarkOct 20th 2006 2:10PM
IE 7 is just another tactic for Microsoft to require you to enable the Genuine Advantage service and allow them to spy. I have completely lost confidence in Microsoft's ability to produce secure software.