IE7 & Security flow - the saga continues
Less than a day after releasing its latest browser update, Internet Explorer 7, Microsoft was hit with reports that the new software had a vulnerability that was present in the last version, Internet Explorer 6, and had gone unpatched.
In response, Microsoft has called the reports technically inaccurate, and noted the flaw is not in Internet Explorer 7, but in a different component of Windows.
The vulnerability report came from security firm Secunia, which had run standard tests on the browser as soon as it was made available. The firm's chief technology officer, Thomas Kristensen, noted that he was surprised the flaw had not been fixed for IE 7.
Secunia rated the vulnerability "less critical" because attackers cannot gain remote control over a system by exploiting the flaw. But Secunia also said that the bug does put users at risk because it can be used to launch phishing attacks or spy on a user's actions.
Strong Response
The reply to Secunia's claims appeared on the Microsoft Security Response Center blog, posted by Christopher Budd, a security program manager at Microsoft.
The issue in question is not in Internet Explorer 7, or even a previous version of the browser, Budd wrote, but instead in a component of Outlook Express. "While these reports use Internet Explorer as the vector, the vulnerability itself is in Outlook Express," he noted.
Budd stated that Microsoft is aware that the issue has been publicly disclosed, but has not had any reports of the vulnerability being used in attacks against computers.
Microsoft has the matter under investigation, Budd went on to say, and the company plans to take appropriate action once it has done more research.
On the Other Hand
In response to Microsoft's reply, Secunia noted that, while it might be true that the vulnerability is an Outlook Express issue, it is still fully exploitable through Internet Explorer 7, which would be the primary attack method for malicious hackers.
"Just because a vulnerability stems from an underlying component does not relieve IE or any other piece of software from responsibility when it provides a clear direct vector to the vulnerable component," Kristensen said.
According to Kristensen, Microsoft has had a policy of tagging various vulnerabilities, where Internet Explorer is the primary attack vector, as operating system vulnerabilities. He said he believes this policy leads to confusion and might cause users and system administrators to view the issues as insignificant.
"Hiding behind an explanation that certain vulnerabilities, which only are exploitable through Internet Explorer, are to blame on Outlook Express, Microsoft Windows, or other core Microsoft Windows components seems more like a way to promote security of IE rather than standing up and explaining to users where the true risk is and taking responsibility for the vulnerabilities and risks in IE," said Kristensen.
In response, Microsoft has called the reports technically inaccurate, and noted the flaw is not in Internet Explorer 7, but in a different component of Windows.
The vulnerability report came from security firm Secunia, which had run standard tests on the browser as soon as it was made available. The firm's chief technology officer, Thomas Kristensen, noted that he was surprised the flaw had not been fixed for IE 7.
Secunia rated the vulnerability "less critical" because attackers cannot gain remote control over a system by exploiting the flaw. But Secunia also said that the bug does put users at risk because it can be used to launch phishing attacks or spy on a user's actions.
Strong Response
The reply to Secunia's claims appeared on the Microsoft Security Response Center blog, posted by Christopher Budd, a security program manager at Microsoft.
The issue in question is not in Internet Explorer 7, or even a previous version of the browser, Budd wrote, but instead in a component of Outlook Express. "While these reports use Internet Explorer as the vector, the vulnerability itself is in Outlook Express," he noted.
Budd stated that Microsoft is aware that the issue has been publicly disclosed, but has not had any reports of the vulnerability being used in attacks against computers.
Microsoft has the matter under investigation, Budd went on to say, and the company plans to take appropriate action once it has done more research.
On the Other Hand
In response to Microsoft's reply, Secunia noted that, while it might be true that the vulnerability is an Outlook Express issue, it is still fully exploitable through Internet Explorer 7, which would be the primary attack method for malicious hackers.
"Just because a vulnerability stems from an underlying component does not relieve IE or any other piece of software from responsibility when it provides a clear direct vector to the vulnerable component," Kristensen said.
According to Kristensen, Microsoft has had a policy of tagging various vulnerabilities, where Internet Explorer is the primary attack vector, as operating system vulnerabilities. He said he believes this policy leads to confusion and might cause users and system administrators to view the issues as insignificant.
"Hiding behind an explanation that certain vulnerabilities, which only are exploitable through Internet Explorer, are to blame on Outlook Express, Microsoft Windows, or other core Microsoft Windows components seems more like a way to promote security of IE rather than standing up and explaining to users where the true risk is and taking responsibility for the vulnerabilities and risks in IE," said Kristensen.
posted by Kintu at
7:56 AM
0 Comments:
Post a Comment
<< Home