Secunia: Exploit Truly Does Affect IE7

UPDATE: In a test conducted by BetaNews on a fresh installation of the release version of Internet Explorer 7, on a "clean" environment set up within Virtual PC 2004, the browser failed the MHTML content retrieval test. The issue involves redirecting the Web browser to a local resource.

On Wednesday, as BetaNews reported, security services vendor Secunia stated that a long-standing, unpatched MHTML redirection exploit, found to affect Internet Explorer 6.0 as early as November 2003, affects the final release version of IE7. Yesterday, Microsoft security team member Christopher Budd responded to that claim by saying the exploit in question actually affects Outlook Express, even though IE7 may continue to provide the "attack vector" for this exploit.

This morning, in a detailed response to BetaNews, Secunia CTO Thomas Kristensen held true to his company's stance that the exploit is attributable to Microsoft's new Web browser, the final version of which was released earlier this week.

"Microsoft claims the recent IE7 vulnerability is an Outlook Express vulnerability," begins Kristensen's statement to us. "This may be true, from an organizational point of view within Microsoft. However, the vulnerability is fully exploitable via IE, which is the primary attack vector, if not the only attack vector."

As Budd wrote on Microsoft's Security Response Center blog yesterday, "The issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express."

This morning, Secunia's advisory on the exploit continues to report that it affects Windows XP SP2 systems, with all patches and with Internet Explorer 7.0 final edition installed.

"Just because a vulnerability stems from an underlying component," Kristensen told BetaNews, "does not relieve IE or any other piece of software from responsibility when it provides a clear direct vector to the vulnerable component."

Historically, he said, when Microsoft discovered (or was made aware of) vulnerabilities that were exploitable through Internet Explorer, the company would give alerts to its users, tagging the exploits as affecting the operating system at large, rather than the point of impact.

As a result, Kristensen believes, administrators tended to view these possible exploits as less significant, or at least equally significant with respect to one another, once they've all been pooled together under the collective heading of "operating system vulnerabilities."

Maybe this is good for Microsoft PR, states Kristensen, but if everyday users are going to put up a defense, they'll need a more accurate explanation of the problem.

"Secunia finds it necessary and reasonable to flag Internet Explorer as being vulnerable if Internet Explorer provides a clear direct vector to a vulnerable component, which is included by default in a fresh clean install of Microsoft Windows," Kristensen writes.

"Hiding behind an explanation that certain vulnerabilities, which only are exploitable through Internet Explorer, are to blame on Outlook Express, Microsoft Windows, or other core Microsoft Windows components, seems more like a way to promote security of IE rather than standing up and explaining to users where the true risk is, and taking responsibility for the vulnerabilities and risks in IE, which are caused by IE being so heavily integrated with the underlying operating system and other Microsoft components."

Presently, Microsoft is holding true to yesterday's statement that it has seen no active attacks involving the MHTML vulnerability, from Outlook Express or anywhere else. Secunia continues to rate the severity level of the threat as "less critical."