Internet Explorer 7 vulnerability discovered

Posted Oct 19th 2006 2:33PM by Jordan Running
Filed under: Internet, Security, Windows, Microsoft

According to security firm Secunia, the just-released Internet Explorer 7 contains a "Redirection Information Disclosure" vulnerability, which allows one site to fetch data from another site through the browser, which opens it up to all kinds of cross-site scripting (XSS) attacks. Interestingly, the same vulnerability has been known and unpatched in IE6 since April. It's one thing not to patch an old browser, but seems quite another to release a brand new browser with the same vulnerability that you've been aware of for six months. If you're running Internet Explorer and want to see the exploit in action, Secunia has set up a demo page.

Tags: exploit, ie, ie7, internet explorer 7, InternetExplorer7, microsoft, redirection information disclosure, RedirectionInformationDisclosure, secunia, security, vulnerability, windows

• Read
• Permalink
• Email this
• Share
• Comments [7]

Related Headlines

• One in three new Vista machines downgraded to XP (9 days ago - 17 Comments)
• XForce report on computer threats and vulnerabilities (30 days ago - 1 Comment)
• Microsoft Drops IE8 Beta 2 - First Impression (3 days ago - 23 Comments)
• Microsoft buys price comparison, research company for $486 million (Yesterday - 0 Comments)
• Flipping the Linux switch: Countdown to the dual boot (11 days ago - 10 Comments)

Reader Comments (Page 1 of 1)

1

10-19-2006 @ 2:54PM

naevus said...

and ie7 web site seems to be affected with this vulnerability!!!

http://www.ranzanici.com/2006/10/19/go-to-ie7-website-and-get-a-virus

Reply

2

10-19-2006 @ 4:49PM

Gardiner Westbound said...

Out less than 24-hours and IE7 already needs a patch!

Reply

3

10-20-2006 @ 12:46AM

Nicholas said...

This is not an exploit with IE7; it's actually a bug in an Outlook Express file-- you can prove this by running the sample code in IE6 as well. Microsoft is working on it.

Reply

4

10-20-2006 @ 1:12AM

nitestrike said...

I ran the demo on my test XP install before and after the IE7 final release and got a positive vulnerability both times. But I ran it on Vista with Office 2007 installed and the demo failed. another indication it is not IE7 itself that would need to be patched.

Reply

5

10-20-2006 @ 12:21PM

JB said...

Jordan -- When are you going to blog about the fact that the flaw was not IE, but Outlook Express. Seems like Secunia was trying to be a little too opportunistic for some free publicity. They should be called out on not doing their homework instead of blaming MSFT.

Reply

6

10-20-2006 @ 12:44PM

Jordan Running said...

JB: Regardless of where the actual vulnerability lies, the exploit exists in IE7, which millions of people downloaded this week. In my opinion, whether it's the fault of Outlook or not doesn't matter if people get bitten by it while they're using Internet Explorer, not Outlook.

Reply

7

10-20-2006 @ 2:10PM

K9Mark said...

IE 7 is just another tactic for Microsoft to require you to enable the Genuine Advantage service and allow them to spy. I have completely lost confidence in Microsoft's ability to produce secure software.

Reply

Download Squad Features

View Posts By

Categories

Audio (856)

Beta (343)

Blogging (702)

Browsers (48)

Business (1377)

Design (825)

Developer (938)

E-mail (519)

Finance (128)

Fun (1774)

Games (561)

Internet (4888)

Kids (135)

Office (497)

OS Updates (581)

P2P (182)

Photo (471)

Podcasting (167)

Productivity (1343)

Search (270)

Security (548)

Social Software (1133)

Text (440)

Troubleshooting (52)

Utilities (1990)

Video (1032)

VoIP (140)

web 2.0 (797)

Web services (3375)

Companies

Adobe (187)

AOL (51)

Apache Foundation (1)

Apple (476)

Canonical (35)

Google (1317)

IBM (30)

Microsoft (1319)

Mozilla (471)

Novell (20)

OpenOffice.org (43)

PalmSource (12)

Red Hat (17)

Symantec (14)

Yahoo! (356)

License

Commercial (681)

Shareware (194)

Freeware (2040)

Open Source (921)

Misc

Podcasts (13)

Features (392)

Hardware (167)

News (1123)

Holiday Gift Guide (15)

Platforms

Windows (3686)

Windows Mobile (428)

BlackBerry (45)

Macintosh (2098)

iPhone (103)

Linux (1602)

Unix (78)

Palm (177)

Symbian (122)

Columns

Ask DLS (11)

Analysis (31)

Browser Tips (296)

DLS Podcast (5)

Googleholic (202)

How-Tos (102)

DLS Interviews (19)

Design Tips (15)

Mobile Minute (133)

Mods (68)

Time-Wasters (391)

Weekend Review (40)

Imaging Tips (32)

RESOURCES

• Send us news tips
• Contact Us
• Advertise
• Corrections?
• Problems?

RSS NEWSFEEDS

• 
• Feeds by category

Sponsored Links

Advertise with Download Squad

Most Commented On (60 days)

• My Top 6 Download Annoyances (34)
• Forget the iPhone, all you need is an iPod Touch (25)
• Microsoft Drops IE8 Beta 2 - First Impression (23)
• Anti-iPhone day at Download Squad (16)
• eCalc offers new Windows desktop version (13)
• Microsoft updates Windows XP Pro anti-piracy tool (13)
• Top 5 iPhone buzzkills (11)
• Want to Know Everything About a Website? Try Quarkbase. (11)
• Mozilla explores ways to make new Firefox tabs more useful (10)
• Folder Guide Speeds Windows Directory Browsing (9)

Recent Comments

• Shezif on 10 Awesome BlackBerry apps
• edward on GMDesk: Desktop client for Gmail, Google Docs, Google Reader, etc
• archer on GMDesk: Desktop client for Gmail, Google Docs, Google Reader, etc
• OneTheyCallGSK on GMDesk: Desktop client for Gmail, Google Docs, Google Reader, etc
• archer on GMDesk: Desktop client for Gmail, Google Docs, Google Reader, etc
• Quikboy on Anti-iPhone day at Download Squad
• radon420 on iPhone App Review: Shazam helps you 'Name that tune'
• Bryan Nystrom on Mobile Productivity the Mario Way - With A Nintendo DS!
• Bryan Nystrom on Mobile Productivity the Mario Way - With A Nintendo DS!
• Bryan Nystrom on Mobile Productivity the Mario Way - With A Nintendo DS!

Urlesque Headlines

• Today's Cry - Monkey and Polar Bear Frolic, Downhill From There
• Those Lazy, Hazy, Cryptid Crazy Days of Summer Are Finally Gone... Or Are They?
• John McCain Seeks Facebook Friends
• Something Was Missing From the 2008 Olympics and That Something Was Paul Hunt
• The 5 Best 'Ghostbusters' Mash-Ups

BloggingStocks Tech Coverage

• AAPL Apple Inc
• ADBE Adobe Systems
• AKAM Akamai Technologies
• AMZN Amazon
• CSCO Cisco Systems
• DELL Dell
• EBAY eBay
• GOOG Google
• INTC Intel
• INTU Intuit Inc
• JAVA Sun Microsystems
• MOT Motorola
• MSFT Microsoft
• NOK Nokia Corp
• ORCL Oracle Corp
• PALM Palm Inc
• RHT Red Hat Inc
• RIMM Research in Motion
• SYMC Symantec Corp
• TWX AOL Time Warner
• YHOO Yahoo!

More Tech Coverage

• Control Shift It's all about the experience
• Somewhat Frank Perspectives on tech as it fuses in everyday life
• Switched Gadgets, web news and commentary
• Urlesque Exposing bits of the web

All contents copyright © 2003-2008, Weblogs, Inc. All rights reserved

Download Squad is a member of the Weblogs, Inc. Network. Privacy Policy, Terms of Service, Notify AOL