Vulnerability Reported In IE 7 is an Outlook Flaw
Microsoft informed that the issue lies in a constituent of Outlook Express email client of Microsoft that can be fueled by browser. A security program manager with Microsoft, Christopher Budd, wrote on October 19, 2006, in a blog posting that the reports by Secunia are technically incorrect. The problem talked in these reports is not IE 7 or its any other version but in a different Windows constituent, especially in Outlook Express. Internet Explorer is being used as a probe, while the susceptibility is in Outlook Express.
He further added that they are aware of the public disclosure of the issue but they are not sure of its use in attacks against users. The investigation is on and the situation is being monitored closely. He convinced that proper action will be taken to protect the consumers once the investigation is completed.
Secunia, earlier that day, posted an advisory asserting that Internet Explorer has a less serious flaw. It said that identity thieves and other offenders could exploit the flaw to steal personal details from PC.
The virus is a cross domain, information disclosure susceptibility. It reports that hackers exploiting the defect in a corrupt site could hack data entered on a different site that was logged on by user. In one condition, the hacker would attract the users to his malicious site in a hope that 1 or more users would also be logging at, for e.g., their online bank account at the same time. If this were true, then the attacker would easily capture the username and password details of the account.
Microsoft has said repeatedly that IE 7 is more secure than its precursors. But Secunia warned about the bug in Internet Explorer 6 for the first time in April. Microsoft's spokesperson could not give any information on Microsoft's response on the first report of Secunia on the issue.
Related article: Vulnerabilities in Web Applications Invite Hackers’ Activities
» SPAMfighter News - 24-10-2006