Information regarding the reported IE7 vulnerability

MS have commented on the following vulnerability:

IE 7 Internet Explorer 7 "mhtml:" Redirection Information Disclosure

I know some will say that the following is nit-picking, but the fact is...

"These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express."

Also, the vulnerability is not reproducible on Windows Vista.

The IE team also comments saying pretty much the same thing:

This is something happens quite regularly, where a vulnerability is described as being an IE vulnerability when in fact it is not IE bits that are vulnerable but rather IE is being used as a jumping off point to access the vulnerable component.  Some will say that exactly which component is the source of the vulnerability is beside the point, but I'd still like to see vulnerability reporters starting to be more accurate in their descriptions.

Edit: There is a very interesting comment on the IE blog about the vulnerability as follows:

"For those that don't understand the actual issue at hand: Outlook installs a pseudo-protocol mhtml:, now when you do an XMLHttpRequest to a certain URL on your own domain, and that URL sends a redirect using this mhtml: pseudo-protocol the same-origin policy is not respected anymore.

My personal opinion is that this vulnerability will be very hard to be utilized without some other existing vulnerability in the site in question which would give a hacker control over sourcecode on the server itself in which case this vulnerability just comes to naught."

Published Fri, Oct 20 2006 7:07 by sandi
Filed under:


# re: Information regarding the reported IE7 vulnerability

Thursday, October 19, 2006 7:19 PM by sandi

"This is a publicly disclosed vulnerability which is actually in Outlook Express (OE) and uses Internet Explorer as a vector. Its not an issue with IE7 or any other version of IE. There's no known exploit that uses this vulnerability, one which is classified as 'less critical' by secunia."