“Not 24 hours after the release of IE7, Secunia reports Internet Explorer Arbitrary Content Disclosure Vulnerability. So much for the “you wanted it easier and more secure” slogan found on Microsoft’s IE Website.”
Sorry – not even gonna touch this one.
Christopher Budd has this to say on the Microsoft Security Center Response Blog:
We’ve gotten some questions here today about public reports claiming there’s a new vulnerability in Internet Explorer 7. This is an issue that we have under investigation and so we have some technical information we can share about the issue.
These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express.
Hmm… that’s like saying “You did not get food poisoning from the Hamburger you ate, you got it from the contaminants in the hamburger. Ok, so it’s a problem in Outlook Express. However, IE is the target and attack vector. So, it’s a problem with IE. Trying to pass the buck to another program is simply corporate misdirection. Time to own up, Microsoft!
While we are aware that the issue has been publicly disclosed, we’re not aware of it being used in any attacks against customers.
We do have this under investigation and are monitoring the situation closely and we’ll take appropriate action to protect our customers once we’ve completed the investigation.
How about simply taking the novel approach of – say – releasing a patch? If it is in fact a problem with Outlook Express, and not IE – then sever that link between the two programs and call it good.
And, since it has not been used to attack customers yet – why wait? According to Secunia, this exact same issue has been present in IE6 for 6 months now. How long do your customers dangle, Microsoft?