Arguments begin over IE7 flaw
By Iain Thomson,
Microsoft has denied that there is a hole in the security of it's newly released browser IE7.
Shortly after the release of the new browser vulnerability experts Secunia issued an advisory warning of a flaw in the handling of redirections for URLs. This can be exploited to access documents served from another web site.
The Secunia researchers, who based their claim on proof of concept code posted in by a third party, say the flaw is 'Less Critical', its second least serious warning level.
But Christopher Budd, who works at the Microsoft Security Response Center, has bebunked the claims, saying that the code is secure. He claims the flaw is not in the browser itself but in the other Microsoft applications it works with.
"These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all," he wrote in the Security Center's blog.
"Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express."
This explanation however cut little ice with the experts at Secunia.
"The vulnerability is fully exploitable via IE, which is the primary attack vector, if not the only attack vector<" said Thomas Kristensen
Chief technology officer at Secunia.
"Just because a vulnerability stems from an underlying component does not relieve IE or any other piece of software from responsibility when it provides a clear direct vector to the vulnerable component."
He pointed out that Microsoft had a history of flagging flaws that could only or primarily be attacked via IE as operating system rather than browser flaws.
"Hiding behind an explanation that certain vulnerabilities, which only are exploitable through Internet Explorer, are to blame on Outlook Express, Microsoft Windows, or other core Microsoft Windows components seems more like a way to promote security of IE rather than standing up and explaining the users where the true risk is and taking responsibility for the vulnerabilities and risks in IE, which are caused by IE being so heavily integrated with the underlying operating system and other Microsoft components," he continued.
You may also like...
Sponsored Links
advertisement
You may also like...
Latest Networking Analysis & Insight
Welcome to the stay-at-home Olympics
Inside the Enterprise: The Government has warned of disruption, and the Civil Service is practising working from home. Could IT yet save businesses from chaos on an Olympian scale?
- Q&A: Cisco on servers, storage and strategy
- It's not about the browser, stupid!
- The Great British network squeeze
- New year: new suppliers
- Top 10 tech winners and losers of 2011
- 2011: The year in news
- UK rural broadband: too little, and too late
- HP PCs back on the menu with Dellish plans
- Top 10 social networking tips for enterprise - part one
Latest Networking Reviews
Swyx SwyxExpress X20 review
Rating: 
- Ipswitch WhatsUp Gold Premium 15
- ForeScout Technologies CounterACT 6.3.4
- ThinPrint Printer Dashboard review: First Look
- TITUS Aware for Microsoft Outlook review
- Windows Phone 7 Mango review: First Look
- Dartware InterMapper review
- Kemp Technologies LoadMaster 3600 review
- Sangfor WANACC M5500 review
- Office 365 review: First look
advertisement
Most popular
- Google releases Chrome for Android beta
- Will someone rid me of these troublesome Macs?
- OneNote hits Google?s Android
- BlackBerry Bold 9790 review
- Google sends in Bouncer to sort out malicious apps
- Ubuntu vs. Windows 7 on the business desktop
- Who to trust after the VeriSign hack?
- Head to Head: Mac OS X 10.7 Lion vs Windows 7
- ACTA: the basics, the controversies, and the future
- BT considering Ofcom price cap appeal
PlayRegister for IT PRO
You'll get exclusive member benefits including free whitepapers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
