News

Address Redirection Cause of IE7 Issue

By Scott M. Fulton, III | Published October 20, 2006, 4:02 PM

In a test conducted by BetaNews on a fresh installation of the release version of Internet Explorer 7, on a "clean" environment set up within Virtual PC 2004, the browser failed the MHTML content retrieval test. The issue involves redirecting the Web browser to a local resource.

In examining the source code of Secunia's page, we found that a JavaScript function first generates a resource location using pieces of strings, plus a randomly generated number as a throw-away parameter. The location points to a page that apparently triggers an HTTP 302 signal, purportedly that the site location has been rerouted. The problem occurs when the browser -- or some other component of the Web browsing process -- takes the address of the rerouting for granted. With recent versions of IE, including IE7 in our test, the browser pulls up the alternate address regardless of what it contains.

In Secunia's innocuous test, the browser appears to open up the source code for Google News. However, the call to Google News was placed locally, meaning the redirection successfully forced the browser to parse a local resource request. It could conceivably just as easily have placed a request to execute a program locally. In our tests, Firefox 1.5 successfully squelched the redirection call to a local resource. Yesterday, as we reported, Microsoft stated that the vulnerable component was actually attributable to Outlook Express, not Internet Explorer. Back in 2003, when the vulnerability was first discovered, Microsoft did direct users to download Outlook Express patches, although those patches may have successfully shut off the accessibility for that vulnerability through OE, rather than change the redirection function itself.

This evidence indicates that the source of the vulnerability is probably deeper than both OE and IE. As SecurityFocus noted in its first 2003 reports of a vulnerability affecting Outlook Express, Microsoft initially -- and perhaps ironically -- offered explanations that tried to shift at least some of the blame to Internet Explorer.

Microsoft said Thursday it is investigating the issue, and plans to provide further guidance to customers.

IE7 Vulnerability

Comments

View comments by with a score of at least

midfingr
Oct 22, 2006 - 12:07 AM edited

Just a suggestion, until this is addressed. If you feel up to it, you can download 'DropMyRights' and use it as a quasi-prodect mode for Internet and Mail.
MSDN Download and info:
http://msdn.microsoft.co...html/secure11152004.asp

Score: 0

|
Post Reply
SteveJohnSteele
Oct 21, 2006 - 10:14 PM

is this the same as the ...

make a shortcut to "notepad.exe" call it "www.hotmail.com"

then go to IE and enter "www.hotmail.com" and notepad pops up

Score: 0

|
Post Reply
kenswanbeck
Oct 20, 2006 - 5:47 PM edited

I tried twice to install IE7 both the beta and the newly announced finished product. Both times I received an error in my SBC/ATT browser relating to a missing or corrupt dll file, so I restored to an earlier state thereby removing IE7 and haven't had any problems since. Fix your product before you put it on the market MICROSOFT!!!!

Score: 0

|
Post Reply
GoodThings2Life
Oct 20, 2006 - 6:04 PM

Would it not be simpler to not install buggy software on YOUR system? :)

Score: 0

|
Post Reply
bourgeoisdude
Oct 20, 2006 - 6:18 PM

"I received an error in my SBC/ATT browser relating to a missing or corrupt dll file, so I restored to an earlier state thereby removing IE7 and haven't had any problems since."

Isn't this a problem with your SBC/ATT browser, and not the IE7? If anybody here expects Microsoft to conform all of their code to work with the billions of third party software packages out there, and spend the years required to verify compatability all third-parties, raise your hand...

Score: 0

|
Post Reply
CMSTech
Oct 23, 2006 - 5:24 PM

But it is easier to blame MS isn't it? :) It is ALWAYS MS' fault.

I am sure you did the same thing I did when you read kenswanbeck's comment...just shake your head in disbelief...

Score: 0

|
Post Reply
The MAZZTer
Oct 20, 2006 - 5:02 PM

Why doesn't this work in Vista RC2 then? Does it not affect IE7 in that version? If/When IE7F is released over Windows Update there, I'll try it again...

Score: 0

|
Post Reply
nate
Oct 20, 2006 - 5:17 PM edited

Because Vista has Windows Mail, which ostensibly does not contain the buggy component in Outlook Express/IE that causes the problem.

Also, IE7 in Vista runs in "Protected Mode" that is designed to stop malicious attacks like this, even if there was a vulnerability to exploit.

Score: 0

|
Post Reply
GoodThings2Life
Oct 20, 2006 - 6:03 PM

Exactly.

Score: 0

|
Post Reply

Report: Microsoft to randomize Europe's browser screen choices

The fact that "A" is for "Apple" was apparently at the heart of browser vendor objections to Microsoft's alternative to listing IE first.

Acer eclipses Dell for #2 spot in global PC shipments, says iSuppli data

It literally does look like a 360-degree turnaround in Dell's fortunes, as the bells of bad tidings now toll solely for Dell.

Microsoft, don't hang up on Windows Mobile, but do call for help

Only a Manhattan Project can save Microsoft's phone strategy now.

See ya later, WinMo: Microsoft's mobile strategy needs a reboot

Carmi Levy | Wide Angle Zoom: Hands up if you're considering upgrading to a Windows phone for the holidays...Anybody?

Playing catch-up in 2010: Windows Mobile, BlackBerry, and Symbian

Microsoft, RIM, and Nokia are each working on improved mobile operating systems. But could these efforts add up to too little, too late?

Will Nokia's plans further alienate American consumers?

A look at Nokia's plans for the coming years does little to shine up the company's increasingly dull image.

Bing bonked by service outage Thursday, Microsoft configured the wrong server

It's always nice to have a backup, but it's even nicer to remember which one is the backup. That's the lesson Bing's admins learned yesterday evening.

Survey reveals there are more women then men, including on social networks

If you think you can market your products and services online as though you're selling car batteries in the middle of halftime, think again. And again.

Android team updates 'Donut' and 'Eclair' SDKs

The Android SDK includes components which optimize app development for each version of the mobile operating system. Today, the 1.6 and 2.0 components got updates.

The Black Screen Syndrome, or, Tech news in search of the apocalypse

Scott Fulton On Point: This is a story about something that should not have been a story, about something that at one time was a story.

Online advertising evolves away from display, toward interactive software

Marketing departments and agencies are increasingly establishing positions for "creative technologists" who can steer designers and developers toward platforms that enable direct connections with consumers.