Re: First IE7 Security Flaw Found

[Nick FitzGerald <nick () virus-l demon co uk>]

Ron wrote:

> Apparently it's a flaw in Outlook Express, and IE7 is just a vector.

Given that OE is "just" a wrapper for the IE ActiveX control, that is a 
distinction worth making how?

Yes, I know, internally MS has IE and OE teams and one gets to do all 
the heavy HTML and HTTP lifting bits and the other gets to do the bits 
relevant to what was once deemed the "must have" -- despite us having 
_NOTHING AT ALL_ to do with inventing them so we can't really 
lie/cheat/twist a competitive advantage out of them -- "Internet 
fundamentals to compete with Netscape" (SMTP and NNTP) bits.

Ironically, the nexus of this vuln is in the MHTML handler -- about the 
only unique-to-Microsoft functionality in OE.

> Still funny that it took less than 24 hours till the first exploit,
> though :)

Nothing funny, odd or unexpected about it.

You can bet that folk have been sitting on _something_ until it was 
actually released.

Aside from what limited "fun" value this announcement may have for 
some, I'd be worrying about what IE 7 vulns the real black hats already 
have lined up and unreleased (i.e. true "zero-days" in the original 
meaning thereof).


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.