funsec mailing list archives
Re: First IE7 Security Flaw Found
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 20 Oct 2006 17:19:40 +1300
Ron wrote:
Apparently it's a flaw in Outlook Express, and IE7 is just a vector.
Given that OE is "just" a wrapper for the IE ActiveX control, that is a distinction worth making how? Yes, I know, internally MS has IE and OE teams and one gets to do all the heavy HTML and HTTP lifting bits and the other gets to do the bits relevant to what was once deemed the "must have" -- despite us having _NOTHING AT ALL_ to do with inventing them so we can't really lie/cheat/twist a competitive advantage out of them -- "Internet fundamentals to compete with Netscape" (SMTP and NNTP) bits. Ironically, the nexus of this vuln is in the MHTML handler -- about the only unique-to-Microsoft functionality in OE.
Still funny that it took less than 24 hours till the first exploit, though :)
Nothing funny, odd or unexpected about it. You can bet that folk have been sitting on _something_ until it was actually released. Aside from what limited "fun" value this announcement may have for some, I'd be worrying about what IE 7 vulns the real black hats already have lined up and unreleased (i.e. true "zero-days" in the original meaning thereof). Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- First IE7 Security Flaw Found Fergie (Oct 19)
- Re: First IE7 Security Flaw Found Ron (Oct 19)
- RE: First IE7 Security Flaw Found Larry Seltzer (Oct 19)
- Re: First IE7 Security Flaw Found Nick FitzGerald (Oct 19)
- <Possible follow-ups>
- Re: First IE7 Security Flaw Found Juha-Matti Laurio (Oct 19)
- Re: First IE7 Security Flaw Found Juha-Matti Laurio (Oct 20)
- Re: First IE7 Security Flaw Found Ron (Oct 19)