Arguments begin over IE7 flaw

The new browser is secure says Redmond, it's just some of their other software that isn't.

Microsoft has denied that there is a hole in the security of it's newly released browser IE7.

Shortly after the release of the new browser vulnerability experts Secunia issued an advisory warning of a flaw in the handling of redirections for URLs. This can be exploited to access documents served from another web site.

Advertisement - Article continues below

The Secunia researchers, who based their claim on proof of concept code posted in by a third party, say the flaw is 'Less Critical', its second least serious warning level.

But Christopher Budd, who works at the Microsoft Security Response Center, has bebunked the claims, saying that the code is secure. He claims the flaw is not in the browser itself but in the other Microsoft applications it works with.

"These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all," he wrote in the Security Center's blog.

"Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express."

This explanation however cut little ice with the experts at Secunia.

"Just because a vulnerability stems from an underlying component does not relieve IE or any other piece of software from responsibility when it provides a clear direct vector to the vulnerable component."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

He pointed out that Microsoft had a history of flagging flaws that could only or primarily be attacked via IE as operating system rather than browser flaws.

"Hiding behind an explanation that certain vulnerabilities, which only are exploitable through Internet Explorer, are to blame on Outlook Express, Microsoft Windows, or other core Microsoft Windows components seems more like a way to promote security of IE rather than standing up and explaining the users where the true risk is and taking responsibility for the vulnerabilities and risks in IE, which are caused by IE being so heavily integrated with the underlying operating system and other Microsoft components," he continued.

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now
Advertisement

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
CSA and ISSA form cyber security partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
UN report points to a 350% rise in phishing websites at start of 2020
phishing

UN report points to a 350% rise in phishing websites at start of 2020

7 Aug 2020