BEIJING, Oct. 20 (Xinhuanet)
-- For the second consecutive year Secunia claims it has found a flaw on
Microsoft's Internet Explorer browser, and this year's flaw is the same as
The flaw discovered in 2005 on Explorer 6 and now on
Explorer 7, enables attackers to steal user information that's being
entered on a separate website, just as long as the user is visiting a site
exploiting the flaw in another window.
"A vulnerability has been discovered in Internet
Explorer, which can be exploited by malicious people to disclose potentially
sensitive information," says an advisory published on the Secunia website.
"The vulnerability is caused due to an error in the handling of
redirections for URLs ... This can be exploited to access documents served from
One way the vulnerability could be
exploited entails attackers leading users to an infected website, hoping
that they will at the same time login to an online bank account. If that
happens, the attacker would be able to hijack the user's username and
"It is hard to exploit the flaw because it requires
the attacker to lure someone to a malicious site, and for the attacker to know
what other secure site the visitor might simultaneously have open," said Thomas
Kristensen, Secunia's chief technology officer.
Last year Secunia found the same flaw in Internet
Explorer 6, but it remains unpatched by Microsoft.
Until the flaw is patched, Secunia says an
alternative solution is to "disable active scripting support." Details on how to
do this can be found on Microsoft's website.
But a Microsoft spokesman said the reports by
Secunia are technically inaccurate.
"The issue concerned in these reports is not in Internet
Explorer 7 (or any other version) at all. Rather, it is in a different Windows
component, specifically a component in Outlook Express," he said "While these
reports use Internet Explorer as a vector the vulnerability itself is in Outlook
Internet Explorer 7 was officially released by
Microsoft on Thursday, and is sent through to users as an automatic security
update. Users have the option of whether or not to install it on their