Vulnerability Reports in IE7?


The Microsoft Security Response Center has posted a blog entry that talks about this vulnerability that is being reported in the news in IE7. This is a publicly disclosed vulnerability which is actually in Outlook Express (OE) and uses Internet Explorer as a vector. Its not an issue with IE7 or any other version of IE. There’s no known exploit that uses this vulnerability, one which is classified as ‘less critical’ by secunia.


Just to clarify, the claim that this is a vulnerability found in IE7 is incorrect. Its a known issue with OE and as of typing this blog post, its not being used by any malicious exploit to attack the user.


Cheers and happy browsing with IE7.


Ali

Comments (6)

  1. marishalev says:

    Hi!

    Hi!

    Regarding vulnerabilities and IE7.

    There seems to be some confusion about exactly what systems are affected by Vector Markup Language (VML) vulnerability (MS06-055 security bulletin).  The bulletin itself states that XP SP2 is affected, and you need to download the update. But if you  try to install the update on some XP SP2 machines running IE 7, it won’t install. I wonder if you can send me into right direction on who to find a person who can get it clarified in the bulletin MS06-055

    Marina Levshteyn

    marina@inspectsoft.com

  2. alialvi says:

    Marina: The VML vulnerability that we shipped a fix for only affects IE6 on XPSP2. In the blog post that IE team made when we shipped the fix, we specifically mention that IE7 is not vulnerable.

    thank you for your post.

    Ali

  3. marishalev says:

    Thank you for a quick reply!

    We have the following situation. Our company is using in-house application that checks if all needed MS  patches are installed on user’s computer before the user can VPN into the system using Cisco based VPN client. The application runs at the background, without user interaction.  The “rules” that are used to check if the MS patch is installed are based on MS security bulletin. MS06-055 clearly states that if you have Windows XP SP2 then you need to install the update. So the rule was created prior the release of IE7 and now we ran into the situation when all users that have IE7 on XP SP2 are getting the warning that they have to install MS06-055 update from our program, then they go to MS site to install update and in fact the update can not be installed. But our application still blocking them from VPN into the system.

    That’s why , in my opinion, it would’ve been helpful for MS to clarify the update MS06-055 (or maybe others too). They had the clarification for Windows 2K SP4 and XP SP1 there:

    “Affected Software:

    For information about the specific security update for your affected software, click the appropriate link:

    Internet Explorer 6 Service Pack 1 for Windows XP Service Pack 1 (all versions)

    Internet Explorer 6 Service Pack 1 for Windows 2000 Service Pack 4 (all versions)

    Internet Explorer 5.01 Service Pack 4 on Windows 2000 (all versions)”

    And this is the line about affected software for Windows XP SP2

    “Windows XP Service Pack 2 (all versions)

    I believe it should’ve been stated that the affected software for Windows XP SP2 is IE6 , as you mention in your reply.

    We created in-house rules to check for MS06-001 – MS06-058 patches. I can not rely on security bulletins now. So do I have to go and research each ms patch starting from MS06-001 till MS06-057 using blogs, manual tests to determine if the rule for the patch should be changed to affect IE7 users? Do I have to add the condition for all Windows XP Sp2 users that checks if IE7 is installed then rule should not be activated? I’m not really sure now what the best way to handle our situation.

    Thank you for time you spend reading it.

    Marina

  4. marishalev says:

    I believe I’ve addressed my comment to a wrong person. If that is the case, please excuse me.

    It happened by accident. I was running the spell test in my outlook using work email in reply mode.

    I perfectly aware that your name is Ali!

    Thank you

    Marina

  5. Kim Smith says:

    If the problem is with Outlook Express, them how do you fix it?

  6. alialvi says:

    Kim: I believe the OE team is aware of this issue and they will be the ones who will fix it. The issue is in their protocol handler (mhtml). It will be prioritized and fixed according to the severity of the issue.