Microsoft Spars With Security Analysts Over IE 7 Bug

Microsoft is reacting to a report that the just-released Internet Explorer 7 contains a bug by saying the flaw is actually in Outlook Express, the free e-mail program included with Windows 2000 and XP. The security company that issued the original alert, however, said that didn't matter: attackers could use IE 7 to grab users' data.

Thursday, Danish vulnerability tracker Secunia warned that IE 7, which Microsoft unveiled in final form the night before, included a cross-domain information-disclosure vulnerability. The bug, said Secunia, was in the MHTML: URI handler, and could be used in a malicious site to hijack data entered on a separate site at which the user was already surfing. The vulnerability, said experts, might be used by identity thieves to rip off bank and credit card account usernames and passwords.

"These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version [of IE])," said Christopher Budd, security program manager at Microsoft's Security Response Center (MSRC), on the group's blog. "Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express."

Secunia's chief technology officer, Thomas Kristensen, dismissed Microsoft's correction. "Just because a vulnerability stems from an underlying component does not relieve IE or any other piece of software from responsibility when it provides a clear direct vector to the vulnerable component," he said. "The vulnerability is fully exploitable via IE, which is the primary attack vector, if not the only attack vector."

The Internet Storm Center (ISC) security organization took a middle path. "Did Microsoft just use old code [in IE 7]? Not really. The vulnerability exists in the MSXML ActiveX component which is actually part of Outlook Express," wrote analyst Bojan Zdrnja on the ISC Web site. "[But] it looks like Microsoft once again got caught into ancient bugs which were already present on the machine[and] we wonder why this hasn't been fixed before."

Secunia first warned of the MHTML bug in April.

"For a long time Microsoft has had a policy of tagging various vulnerabilities where IE was the primary or only attack vector as operating system vulnerabilities," said Kristensen. "This leads to some confusion and may cause users and system administrators to view the issues as less significant.

"While it may be correct from an organizational, and public relations, point of view within Microsoft, this does not fit how it is perceived by users and administrators, and how they are going to defend against exploitation," Kristensen added.

The MSRC's Christopher Budd said that the center was investigating the vulnerability, but did not offer a timeline for a patch.

Microsoft released IE 7 Wednesday, more than five years after the last major upgrade to the company's often-criticized browser.