Patch/Configuration Management, Vulnerability Management

Microsoft, Secunia clash over reported vulnerability

Two security teams are at odds over which Windows component is responsible for a new lower-risk vulnerability that could lead to personal information being disclosed.

Vulnerability reporting firm Secunia, which posted an advisory on the bug Thursday, claims the unpatched flaw lies in the newly released Microsoft Internet Explorer 7 (IE7) web browser and is caused by an error in the handling of URLs. The vulnerability, according to Secunia, "can be exploited to access documents served from another website."

Microsoft released IE7 earlier this week.

But Microsoft Security Program Manager Christopher Budd countered late Thursday that the vulnerability actually is found in Outlook Express, the email client bundled with IE.

Budd said on the Microsoft Security Response Center Blog that public reports about the flaw are misleading because while it uses IE as an attack vector, the vulnerability's source is Outlook Express.

Secunia CTO Thomas Kristensen, in an email today to, disagreed, arguing that Microsoft's stance on the bug - which Secunia labeled "less critical" - "may cause users and system administrators to view the issues as less significant."

"The vulnerability is fully exploitable via IE, which is the primary attack vector, if not the only attack vector," he said. "Just because a vulnerability stems from an underlying component does not relieve IE or any other piece of software from responsibility when it provides a clear direct vector to the vulnerable component."

Meanwhile, the SANS Internet Storm Center's Bojan Zdrnja said today in a post that the vulnerability actually first appeared in April in IE6 and was never patched.

"The exploit uses a ‘double' redirection trick," he explained. "It will first create an Msxml2.XMLHTTP ActiveX object which is then used to retrieve a web page from the same server that the original we page is hosted on…This web page is actually just a redirection….which uses a mhtml: URI."

The exploit only allows attackers to be redirected to a web page and steal whatever content is on it at that given time, Zdrnja said. That means, unless users are logged into their bank when the exploit occurs, they should avoid having any sensitive information stolen.

Budd said Microsoft is investigating.

"We do have this under investigation and are monitoring the situation closely, and we'll take appropriate action to protect our customers once we've completed the investigation," Budd said.

Click here to email Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.