Security Software IE7 Vulnerability

[octave]

Secunia

Internet Explorer 7 "mhtml:" Redirection Information Disclosure

• Secunia Advisory: SA22477 Release Date: 2006-10-19
• Critical: Less critical
  
• Impact: Exposure of sensitive information
  
• Where: From remote
  
• Solution Status: Unpatched
  
• Software: Microsoft Internet Explorer 7.x

Description:
A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerability is caused due to an error in the handling of redirections for URLs with the "mhtml:" URI handler. This can be exploited to access documents served from another web site.

Secunia has constructed a test, which is available at:
Internet Explorer Arbitrary Content Disclosure Vulnerability Test - Secunia

Secunia has confirmed the vulnerability on a fully patched system with Internet Explorer 7.0 and Microsoft Windows XP SP2. Other versions may also be affected.

Solution:
Disable active scripting support.

 

[thexfactor]

We've gotten some questions here today about public reports claiming there's a new vulnerability in Internet Explorer 7. This is an issue that we have under investigation and so we have some technical information we can share about the issue.

These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express.

While we are aware that the issue has been publicly disclosed, we're not aware of it being used in any attacks against customers. We do have this under investigation and are monitoring the situation closely and we'll take appropriate action to protect our customers once we've completed the investigation.

Welcome to the Microsoft Security Response Center Blog!