Is there a flaw in Internet Explorer 7?
www.chinaview.cn 2006-10-20 14:35:31

For the second consecutive year Secunia claims it has found a flaw on Microsoft's Internet Explorer browser, and this year's flaw is the same as last year.     BEIJING, Oct. 20 (Xinhuanet) -- For the second consecutive year Secunia claims it has found a flaw on Microsoft's Internet Explorer browser, and this year's flaw is the same as last year.

    The flaw discovered in 2005 on Explorer 6 and now on Explorer 7, enables attackers to steal user information that's being entered on a separate website, just as long as the user is visiting a site exploiting the flaw in another window.

    "A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information," says an advisory published on the Secunia website.

 "The vulnerability is caused due to an error in the handling of redirections for URLs ... This can be exploited to access documents served from another website."

    One way the vulnerability could be exploited entails attackers leading users to an infected website, hoping that they will at the same time login to an online bank account. If that happens, the attacker would be able to hijack the user's username and password.

    "It is hard to exploit the flaw because it requires the attacker to lure someone to a malicious site, and for the attacker to know what other secure site the visitor might simultaneously have open," said Thomas Kristensen, Secunia's chief technology officer.

    Last year Secunia found the same flaw in Internet Explorer 6, but it remains unpatched by Microsoft.

    Until the flaw is patched, Secunia says an alternative solution is to "disable active scripting support." Details on how to do this can be found on Microsoft's website.

    But a Microsoft spokesman said the reports by Secunia are technically inaccurate.

    "The issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express," he said "While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express."

    Internet Explorer 7 was officially released by Microsoft on Thursday, and is sent through to users as an automatic security update. Users have the option of whether or not to install it on their computer. 

    (Agencies)

    

Editor: Gareth Dodd
E-mail Us Print This Article
Related Stories