An IE7 Security Vulnerability?


Some people are discussing a recently announced security vulnerability that they claim is found in Internet Explorer 7 on Windows XP SP2 systems.

While it is true that a vulnerability exists, the vulnerability is not actually in any components of IE7, although the attack vector makes it appear that way. Our friends at the MSRC have the issue under investigation and have posted a blog entry with more details on which component is affected and what you should do about it. If you’re curious about this vulnerability, I encourage you to read up about it there.

Thanks,

Christopher Vaughan
Lead Program Manager

Comments (54)

  1. Jerry says:

    Thank you for the information on this security problem.

  2. MS have commented on the following vulnerability: IE 7 Internet Explorer 7 "mhtml:" Redirection

  3. Tino Zijdel says:

    Fact is that this vulnerability is exposed through IE (7 and below).

    For those that don’t understand the actual issue at hand: Outlook installs a pseudo-protocol mhtml:, now when you do an XMLHttpRequest to a certain URL on your own domain, and that URL sends a redirect using this mhtml: pseudo-protocol the same-origin policy is not respected anymore.

    My personal opinion is that this vulnerability will be very hard to be utilized without some other existing vulnerability in the site in question which would give a hacker control over sourcecode on the server itself in which case this vulnerability just comes to naught.

    So basically I just consider this a spec-violation without any security-related consequences.

  4. ieusr says:

    this test

    http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/

    says

    "Your browser is vulnerable! The test retrieved content from news.google.com in the context of your browser.

    This actually means that if you were logged into your bank account, any web site you are visiting would be able to retrieve confidential data from your bank. This could also be used to retrieve personal settings entered on sites like eBay or Paypal."

    if it’s true, this is bad for a product advertised as "secure" ( i think the "vector" argument isn’t an excuse, you should be pro-active and not re-active with this issues )

  5. Leo says:

    Thank you for posting this, especially on a day when many months of hard work were finally revealed.

    It must take a lot of courage to be flagged by the world as having released an insecure product and still be able to be transparent.

    The whole IE team needs to be commended for this persistence and willingness to face a brutal audience.

  6. Tony says:

    "Fact is that this vulnerability is exposed through IE (7 and below)." – Tino Zijdel

    So does this mean the "vector" issue has been duplicated in previous versions of IE? How long has this "mhtml: pseudo-protocol" existed in OE?

    I would think the greater concern isn’t if it’s a security risk, as much as if it is *not* duplicated in previous IE versions, then why only IE7?

    I’m sure the investigation will determine the answers and hopefully a hotfix will be available prior to Nov 1st. I suspect we will see a public disclosure of several new "vulnerabilities" in the coming weeks.

  7. goose says:

    Microsoft is 100% secure. People are just trying hard to put you down! You ought to be commended for your industry-leading approach to patching bugs and security. Windows XP even connects to sa.windows.com every time we do a local search on my drive, just to make sure we’re being good. Media Player connects and sends info for no logical reason after the playback of every video, too.

    I love Microsoft! They always keep an eye out for me, and IE7 is the most secure product of all! We will be here a year from now and there will be ZERO problems with security – that is certain!!!

  8. PatriotB says:

    Tony: It’s not "only IE7".  It’s exposed via IE6 as well.

  9. Jay says:

    What difference does it make which Microsoft team introduced this serious vulnerability? The net is that users of IE7 are vulnerable and no fix is available. At the same time users of Firefox or any other browser are safe from this attack. Go figure.

  10. robert n mease says:

    this  IE 7.0  IS THE FASTEST YET

  11. PatriotB says:

    Jay: It makes a difference because here is a brand new product, released yesterday, and people come along today and claim it has a new security vulnerability.  When it’s actually a hole in code that is not owned or maintained by the IE team.

    If there’s a hole in a video driver that can allow remote code execution via viewing a specially-crafted image in a web browser, is that the browser’s fault as well?

  12. Wraith Daquell says:

    I wonder if the makers of this vulnerability were just waiting for the product to release…

    As long as sick, stupid, distorted hackers live, and as long as computer illiterate folk live who need conveniance, the contending forces of the two will cause vulnerabilities to be discovered.

    I for one support Microsoft, and shall support Microsoft, even though they have a few vulnerabilities. Any company that provides a good level of support for multiple types of computers on vast amounts of otherwise-incompatible hardware gets my respect. Certainly not some ‘we only run on our own hardware’ company, or an open-source project as stable as a sandpit.

    But go ahead. Attack Microsoft. It’s not like there’s actually people on the other end of this blog, reading your kind or otherwise posts, who try to make a living the best they can just like you do. </sarcasm>

  13. Tony says:

    @PatriotB – I just discovered that. Secunia originally disclosed the issue in April 2006 for IE6. Of course with IE7 it’s just another oppurtunity to scare the world.As for previous versions of IE and other browser

    As Tino stated it is a vulnerability that is incredibly difficult to exploit. I’m sure some genius will figure it out, but until then let the investigation continue.

    "At the same time users of Firefox or any other browser are safe from this attack." – Jay

    If you have been following the blog for as long as I have you would have realized that IE and OE are tightly integrated. The simple fact non-MS browsers do not rely on the same API and OS infrastructures as IE does should be explanation enough.

    In all honesty, even with my criticisms and other concerns posted throughout, I do commend the IE team for their work. Finding new flaws and other security based issues should have been expected. When asked "should I update" my answer is always "yes, it’s an improvement over IE6, however it may take awhile to adjust to the new interface. If you still don’t like it uninstall it. When the compute reboots it automatically re-installs IE6 for you."

    Have I updated? Not yet. I’m a web designer and I need a supported solution to test in both IE6 and IE7 without purchasing another XP license and I would rather not pirate.

  14. pinto says:

    @Wraith,

        I’m with you in your support of the developers who get flak in these pages on a regular basis.  And I agree with you and others who have noted the disingenuous nature of the current vulnerability claims.

        That said, it’s important to remember that the IE team is more than just a bunch of programmers making a living the best they can.  They work for a giant corporation which has leveraged its monopoly in order to make IE6 the dominant browser on the web even as it has gotten further and further behind the state of the art.

    Web developers (myself included) have pleaded, cajoled, asked nicely, filed bug reports, searched for guidance (official and otherwise) for years.  The IE team is a part of MS and MS has forced the IE problem upon us.  It’s hard even for the most well-meaning among us to not feel a certain amount of frustration.

    I visit this site often and hope that both sides (web devs and MS devs) can come together and drag the IE code base kicking and screaming into the 21st century.  Here’s hoping that MS actually means it (this time) when they say that they’re committed to delivering a quality product (IE7 is great but definitely not "there").  Likewise, perhaps the frustrated web devs out there could refrain from being asses and scaring the poor IE team back into their rabbit hole for another 5 years?

  15. Dawood says:

    Congratulations for the super cool browser but as of now I’m experiencing malware on the ie7 home page. In all web browsers.

  16. BigAl says:

    @ Dawood: uninstall or update your Antivirus software. It’s a false positive case.

  17. Moba says:

    The problem it’s not about a new vulnerability. But how long will it take to fix it in IE7?

    If it’s fixed in 1 week, IE7 is a very great upgrade but if it’s not, IE7 is a very bad work.

    When do you think it will be fixed ?

    Regards.

  18. Don says:

    @Moba:

    The vulnerability is located within an Outlook Express component, not IE7.

    I doubt it will ever be "fixed" in IE7.

  19. Moba says:

    @Don

    I don’t care about that. In fact, when I use IE7 (not OE), it’s not safe. I don’t know why IE7 use the OE dll but it should not.

    A fix must test the "vulnerability" of this dll and unable IE7 to use it.

    You can’t say a program is safe if you know it uses unsafe components.

  20. Fduch says:

    Now they lay all the blame on OE team. Very good.

    When I told them that IE7 has broken support for .mht files with chinese characters in names, they told me it’s Outlook’s fault too. I then wonder why IE6 works fine with the same Outlook…

  21. Grant says:

    @goose

    I’ve been following your comments on this blog for quite some time, laughing hard on every one.

    On your next post, can you hint as to whether you are A or B?

    A) An MS Fanboy, that seriously dilusionally thinks that everything MS makes is polished titanium and even questioning so, is blasphemy.

    or

    B) A realistic user/developer/???? that posts such facetious comments where the sarcasm is laid on so thick, that we think you are A.

    I really do enjoy the comments, its just killing me to know which one you are! :-)

  22. Fduch says:

    @Grant

    I think it’s obvious. Don’t spoil it.

    I posted such comments when this blog only started, but they were deleted.

  23. mocax says:

    So how do I get rid of this mhtml and outlook express?

    I don’t use outlook express anyway.

    which dll do I delete?

  24. MacHershell says:

    Well, as a SeaMonkey and Firefox fan, I have been testing IE7 for the last several weeks.  I have been very impressed and, in fact, have minimized using SeaMonkey… So, I have 3 browsers on my system (IE7, Firefox 2.0, and SeaMonkey 1.0.5).

    As a web developer, I *must* have several browsers to use for testing.  As I said, I have been very impressed with IE7.  Besides this security FUD (Remember FUD when it was MS using it to scare people away from Java?  Fear-Uncertainty-Doubt?), I cannot understand why it takes so long to open a new tab.  In both Firefox and SeaMonkey, tabs are instantaneous.  In IE7, there’s a long pause (on the order of seconds — not minutes!) — much longer than the instantaneous tabs of Mozilla.  What’s up with this?  Is this where MS reports back to King Bill?

    Well this is (what the Japanese refer to as) bachi (sp?).  I suppose Buddhists refer to it as Kharma.  Me, I just call it "deserving."  :)

    Another disappointment (despite, as I said, being impressed overall) is that certain Drupal themes do not display properly in IE7.  Again, MS has been resistant to comply with web standards…

    But IE7 is closer than any previous internet-exploding browser by MS, yet…  My browser history is:  Netscape 2.0, Netscape 3.0, Mozilla, SeaMonkey, Firefox, and (soon, hopefully) IE 7.

    Good luck in resolving the OE/IE issue… One thing is certain… whichever team holds ownership, ultimately it is Microsoft who holds ownership of the issue — and whether resources will be allocated to correct the issue…

    So that we may replace FUD with HUG (Huge Ugly Giant)!  <g>

  25. mocax says:

    BTW, I still can’t drag highlighted text into the search/url box

  26. Aedrin says:

    "The net is that users of IE7 are vulnerable and no fix is available. At the same time users of Firefox or any other browser are safe from this attack. Go figure."

    There is no reason for the "media" (used very lightly here) makes it appear that the weakness ‘was discovered’ in IE7. And yes, FireFox/others are safe from this, but FireFox has its own security issues. So it’s not like they’re innocent (some security issues going back several years).

  27. Confused says:

    Maybe it’s just me, but the Secunia test does NOT work on my IE 7. I am using an older version, and protected mode is on (it didn’t work with it off either however). I’m on Vista RC2.

    Maybe I was just lucky, but this security alert seems a little dubious.

  28. Don says:

    @Confused:

    IE7 Vista RC2 (build 5744) passes that test with "Your browser does not appear to vulnerable to this particular exploit."

  29. MrBester says:

    All versions of IE that can handle XMLHTTPRequests AND have some vestige of Outlook Express installed are "vulnerable" as it is the OE dll that has the problem: IE just hands it to OE.

    Personally, I thought I’d excised all elements of OE from my system as I hate it with an absolute passion and always have (the only possible benefit from using it was the newseader, but then there was Netscape 4.x with a far superior one), but that must have been in a previous machine build.

  30. Fduch says:

    @Aedrin

    >"The net is that users of IE7 are vulnerable and no fix is available. At the same time users of Firefox or any other browser are safe from this attack. Go figure."

    >There is no reason for the "media" (used very lightly here) makes it appear that the weakness ‘was discovered’ in IE7. And yes, FireFox/others are safe from this, but FireFox has its own security issues. So it’s not like they’re innocent (some security issues going back several years).

    Yes. They shouldn’t have said it was "discovered". They should have told the truth:

    "There was vulnerability in OE that was making IE vulnarable. And Microsoft knew about it. And did nothing. Now they release IE7 and speak about security. It’s perfect time to remind people haw Microsoft hadles security. Unless being reminded they can errorneously think that IE7 is fresh and secure."

    You can laugh, but many people really think that the new program versions are released "fresh" without known bugs or holes.

  31. Aedrin says:

    So the next time FireFox is on the news, there should also be an article: "FireFox still contains numerous memory leaks and bugs and didn’t do anything about it in the new version!"

    A program has bugs, what blasphemy. Microsoft can’t fix every single little loophole/bug? They should be shot!

    Unless you work at Microsoft (in one of the development departments) I don’t think you can assume that they don’t care. There is a lot more to it than just fixing it.

    We can keep this going on and on. But at the end of the day, all programs may contain bugs and/or security issues. Small companies can fix this easily, while it takes more time as the company gets bigger. No matter how unfair you think it, this happens everywhere and with everything.

    Perfection may be strived for, but will never be attained.

    Sure, Microsoft could rewrite their rendering engine/browser to start fresh.

    But wait, didn’t someone else do that too? Oh yes, Netscape.

    What happened to them? Exactly.

    If you find Internet Explorer/Microsoft so horrible, why bother complaining to them? What do you say, you have to develop for it? Oh, I see. This is part of your job then. And if it is your hobby, stop doing it. Nothing is perfect, with every platform/framework you have to remember that bugs exist and you have to work with this.

  32. Michael says:

    I’m not too concerned with this ‘vulnerability’ and I’m tired of Firefox anyway. I like IE 7 alot. Keep up the updates though!

  33. Fduch says:

    @Aedrin

    I’m not web developer, so this region of hell doesn’t bother me too much.

    What I wanted: improvements over IE6.

    What I got: improvements over IE6 + many degradations.

    How can I honestly say that IE7 is better than IE6 if it cannot open my .mht files anymore; if it crashes about 20 times more frequent than IE6; times-out even worse than IE6.

    IE7 is different browser. It has many improvements over IE6, but I cannot say it’s better. Just different.

    P.S. Some questions:

    What can you say about closing bug tracker at Connect site?

    Comment on this please:

    Overall Statistics

    33 783 registered users

    8 258 total bugs

    2 588 total suggestions

    1 802 active bugs

    298 resolved bugs

    6 158 closed bugs

    1 774 active suggestions

    19 resolved suggestions

    795 closed suggestions

  34. EricLaw [MSFT] says:

    @MacHershell: The most common performance issue for creating new tabs relates to plugins.  Do you have any toolbars/BHOs/Explorer bars installed?  What type of machine do you have?

    For architectural reasons IE7 maintains one instance of each plugin for each tab (any other design would mean rewriting all of the existing plugins).  This means that if you have a lot of plugins installed, you’ll experience slower performance than you would otherwise.  My machines take well under a second to spawn a new tab with two or three plugins installed at any given time.

  35. marishalev says:

    Can you help me to clear up the following issue or address me to a right person/group/site.

    MS security bulletin MS06-055 itself states that XP SP2 is affected, and you need to download the update. But if a person tries to install the update on  XP SP2 machines running IE 7, it won’t install. Can it be clarified in the bulletin?

    Thank you

    Marina Levshteyn

    marina @ inspectsoft.com

  36. Stefan says:

    @marishalev:

    IE7 was not released at the time of MS06-055.  It is my understanding that this is the reason why XP SP2 with a beta/RC IE7 was not specifically listed.

    The release version of IE7 should not be vulnerable (haven’t tested it myself).  So why specifically mention in a security bulletin that a product relased afterwards is not vulnerable?  To me that doesn’t make sense.

    BTW: To me the timinig of the secunia advisory looks just like an attempt to grab attention.

  37. Sebhelyesfarku says:

    The moral of the IE7 story: you can’t polish a turd.

  38. Marina: we specifically mention in a blog post that IE7 is not vulnerable to MS06-055. That release was designed for people running XPSP2 without IE7 (ie, at the time, most people).

    See our blog post here: http://blogs.msdn.com/ie/archive/2006/09/29/777193.aspx

    -Christopher

  39. fab says:

    YOU people from IE team at microsoft, YOU said that IE is so deeply inside windows… remember of that ?!

    And now there is a flaw in IE..(OE was usually shiped with IE at the time IE was not a part of the OS)

    You says "wait a second, it not IE, it’s OE !!!"

    … so deeply inside OS…

  40. marishalev says:

    Christopher,

    Thank you for a quick reply!

    We have the following situation. Our company is using in-house application that checks if all needed MS  patches are installed on user’s computer before the user can VPN into the system using Cisco based VPN client. The application runs at the background, without user interaction.  The "rules" that are used to check if the MS patch is installed are based on MS security bulletin. MS06-055 clearly states that if you have Windows XP SP2 then you need to install the update. So the rule was created prior the release of IE7 and now we ran into the situation when all users that have IE7 on XP SP2 are getting the warning that they have to install MS06-055 update from our program, then they go to MS site to install update and in fact the update can not be installed. But our application still blocking them from VPN into the system.

    That’s why , in my opinion, it would’ve been helpful for MS to clarify the update MS06-055 (or maybe others too). They had the clarification for Windows 2K SP4 and XP SP1 there:

    "Affected Software:

    For information about the specific security update for your affected software, click the appropriate link:

    Internet Explorer 6 Service Pack 1 for Windows XP Service Pack 1 (all versions)

    Internet Explorer 6 Service Pack 1 for Windows 2000 Service Pack 4 (all versions)

    Internet Explorer 5.01 Service Pack 4 on Windows 2000 (all versions)"

    And this is the line about affected software for Windows XP SP2

    "Windows XP Service Pack 2 (all versions)

    I believe it should’ve been stated that the affected software for Windows XP SP2 is IE6 , as you mention in your reply.

    We created in-house rules to check for MS06-001 – MS06-058 patches. I can not rely on security bulletins now. So do I have to go and research each ms patch starting from MS06-001 till MS06-057 using blogs, manual tests to determine if the rule for the patch should be changed to affect IE7 users? Do I have to add the condition for all Windows XP Sp2 users that checks if IE7 is installed then rule should not be activated? I’m not really sure now what the best way to handle our situation.

    Thank you for time you spend reading it.

    Marina

  41. Moba says:

    So. Will it be fixed ?

    Or must I wait for the XP Sp3 (2008) ?

  42. Chris says:

    I am a developer and from a standards stance I don’t like IE I wish the corporate world used another well known browser…

  43. Marina- historically we (we as in Microsoft) haven’t referred to products in pre-release in our security bulletins (for instance, we don’t discuss Windows Server 2003 Service Pack 2 Beta either). MS06-055 was released prior to IE7, so that’s why it didn’t refer to IE7 specifically. Now that IE7 is out, you should expect that future bulletins to differentiate if necessary. I will talk with some other folks about if we should go back and retro-actively update bulletins to show whether or not IE7 is affected so we are clear for folks like yourself. The only question is, of course, how far do we go back and update bulletins? Thanks and keep those questions coming. I’m happy to respond.

    -Christopher

  44. Bob says:

    If this is not an IE issue, why are machines with IE 7 beta 2 not affected, then immediately affected upon upgrading to IE 7 RTM?

  45. EricLaw [MSFT] says:

    @Bob: This issue is not in IE, and hence it exists without regard to IE version.  IE7 Beta 2 on XP is an affected platform.

  46. Arieta says:

    If you want to go apeshit on small technical issues such as ONE bug which is not even critical, and very very hard to exploit, let me remind you that Firefox has over 20 similar unpatched bugs. Logically Firefox should be an insecure turd too using your way of thinking.

  47. marishalev says:

    Christopher,

    >The only question is, of course, how far do we go back and update bulletins?<

    I understand. Maybe just put some kind of disclaimer/notification on front page of Microsoft Security Bulletins summary so it can be more visible.

    And thank you so much  for your reply. It helped me a lot.

    Marina

  48. Bob says:

    @EricLaw

    On a Windows 2003 machine with IE 7 beta 2, the Secunia test return not vulnerable. On the *same* machine having upgraded to IE 7 RTM, the Secunia site returned vulnerable. This is something I witnessed with my own eyes (and my own mouse clicks).

  49. Peter says:

    I’m a big fan of IE7 and MS products in general, but I still feel it is disingenuous to pass this off as someone else’s problem.

    Many of the vulnerabilities exposed by IE have in fact been due to exposure in ActiveX controls. I have no problem with ActiveX in general and have written my own IE controls, but the fact is ActiveX is the weak link in IE’s security chain. You have to be very careful deciding to install a control on your machine.

    Which is why I believe IE bears responsibility here… I didn’t install mshtml on my machine, it came with Windows, as did numerous other controls. To live up to the "secure by default" mantra, IE needs to proactively restrict access to these controls UNLESS IE IS WILLING TO VOUCH FOR THEM.

    I realize that IE and MS have put a lot of effort in trying to certify them. But in this case they failed. My machine is vulnerable because IE is installed, and IE should take responsibility.

  50. JACN96@hotmail.com says:

    hola buenos dias alguien me puede guiar

    no he podido ingresasr a ver mi Transcript  

    con la version de internet explorer 7.0.5

    MCP – Microsoft Certified Professional Bogota Colombia

    https://mcp.microsoft.com/authenticate/ValidateMCP.aspx

    Transcript ID : 719607 Access Code : Microsoft

    gracias

    EXITOS

    ATT

    JOSE ARMANDO CAMACHO NAVARRETE

  51. Peter: we work very closely with other teams within Microsoft. Fixing this bug would have required us to ship a component owned by another team, potentially for the life of IE7 (10+ years) since we couldn’t guarantee that every IE7 user installed every non-IE update.

    As to the vulnerability itself, please understand: it has nothing to do with ActiveX and we’re trying hard to not appear to be pointing fingers (it IS a Microsoft vulnerability, one we own up to and do intend to fix).

  52. Moba says:

    On this page, I have 121 warnings in the XHTML validator.

  53. Chuck Detore says:

    I’ve been using IE7 for a while, only thing I find strange is when I leave my online banking, it hangs up for quite a while.  This make me nervous (Real nervous if I had a lot of money)