homepage Welcome to WebmasterWorld Guest from 54.197.130.16
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

    
IE7 Suffers First Major Security Failure - or does it?
Brett_Tabke




msg:3131910
 4:43 pm on Oct 23, 2006 (gmt 0)

[secunia.com...]

A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerability is caused due to an error in the handling of redirections for URLs with the "mhtml:" URI handler. This can be exploited to access documents served from another web site.


 

tedster




msg:3131926
 4:57 pm on Oct 23, 2006 (gmt 0)

A response from the Microsoft Security Response Center:

These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express.

Microsoft Security Response Center [blogs.technet.com]


jdMorgan




msg:3131969
 5:28 pm on Oct 23, 2006 (gmt 0)

Note that IE6 is also a vector according to Secunia, and has been for quite awhile. This does lend some credence to the MS response, but if what they state is true, then Outlook Express needs to be fixed ASAP.

Jim

balam




msg:3131987
 5:41 pm on Oct 23, 2006 (gmt 0)

> [...] and has been for quite awhile. [...] Outlook Express needs to be fixed ASAP.

It's a (publicly-known) six-month-old issue, which means Microsoft needs another year to fix it.

jwolthuis




msg:3132014
 6:10 pm on Oct 23, 2006 (gmt 0)

I love the Demonstration:

"Your browser is vulnerable! We were able to order a pizza from Papa John's, so that's absolute proof that we could steal confidential data from your bank.

P.S. Sorry we don't actually demonstrate stealing info from your bank, but were totally confident it could happen tomorrow."

I've got bigger worries about my 14-year-old swiping a twenty out of my wallet while I'm in the shower... seems a lot higher priority than wringing my hands over this exploit.

texasville




msg:3132021
 6:14 pm on Oct 23, 2006 (gmt 0)

This is quite an old exploit. And not the first time outlook has been a security problem.

Easy_Coder




msg:3132029
 6:21 pm on Oct 23, 2006 (gmt 0)

then Outlook Express needs to be fixed ASAP.

I would almost swear that the IE blog initally referered to this is as a 3rd party object that is used in outlook express. Looking back at that blog entry now the 3rd party words are gone.

If it was a 3rd party vendor then I'll bet that vendor is feeling some pretty nice heat at the moment. If not then its somewhat interesting to see one MS team point to another team and say "its their bug"... The bug belongs to both teams, that's what happens when the os and the applications are tightly integrated.

balam




msg:3132047
 6:34 pm on Oct 23, 2006 (gmt 0)

There's a reason the software is called Lookout!:

> [...] outlook has been a security problem.

jtara




msg:3132058
 6:43 pm on Oct 23, 2006 (gmt 0)

I ran the test on my machine, and it found IE6 vulnerable.

Thing is, I don't have Outlook installed.

As with many other Windows components, Outlook has it's tentecles deeply embedded.

Now, how to I COMPLETELY remove Outlook?

Demaestro




msg:3132068
 6:54 pm on Oct 23, 2006 (gmt 0)

Now, how to I COMPLETELY remove Outlook?

You can't. Somehow like with IE they have been able to show that it is required by the OS.

j_h_maccann




msg:3132112
 7:31 pm on Oct 23, 2006 (gmt 0)

Shouldn't the last half-dozen learned commentators figure out how to distinguish between Outlook and Outlook Express? They are different apps, with no connection between their code bases, with completely different data storage formats, from different development groups, and even shipped by different divisions of Microsoft. "Outlook Express" is a lightweight (but widely used) component shipped in MS Windows (like IE). "Outlook" is a major mail client (and calendar and life-manager) also for Exchange and webmail shipped as part of MS Office. The only point of connection is the names.

jtara




msg:3132201
 8:38 pm on Oct 23, 2006 (gmt 0)

OK, how do I completely remove Outlook Express?

I don't use it, don't need it, don't want it. And, apparently, it's a security vulnerability to boot.

jdMorgan




msg:3132217
 8:52 pm on Oct 23, 2006 (gmt 0)

Control Panel -> Add/Remove Windows Components. Uncheck Outlook Express. Click Next.

Jim

jtara




msg:3132279
 9:30 pm on Oct 23, 2006 (gmt 0)

Control Panel -> Add/Remove Windows Components. Uncheck Outlook Express. Click Next.

Unfortunately, that does not completely remove Outlook Express. Or at least not the component that is causing this vulnerability.

The test for the vulnerability still fails. (Or succeeds, depending on your viewpoint...)

There is a complex manual removal procedure at the Microsoft website. It involves removing a large number of directories and registry keys. A number of spyware/adware removal tools also purport to completely remove Outlook Express.

I've done a bit more poking around, and I think that NEITHER of the characterizations of where the problem really lies (MSIE, Outlook Express) may be correct. I think this is a component further-embedded in Windows. A Symantec write-up on a similar problem suggest that disabling the mhtml handler may adversely affect the help system.

Demaestro




msg:3132310
 10:09 pm on Oct 23, 2006 (gmt 0)

Control Panel -> Add/Remove Windows Components. Uncheck Outlook Express. Click Next.


Unfortunately, that does not completely remove Outlook Express. Or at least not the component that is causing this vulnerability.

This won't ever work, you can't uninstall it, just like you can't uninstall IE. The OS requires it for some functionality. Although unistall instructions do exist some of the underlining layers will always be there including the mhtml handler.

[edited by: Demaestro at 10:11 pm (utc) on Oct. 23, 2006]

CritterNYC




msg:3132611
 6:12 am on Oct 24, 2006 (gmt 0)

It is a defect in Internet Explorer as well as Outlook Express. Even though the actual bug is within a component of Outlook Express (which is installed by default in Windows), Internet Explorer is the *ONLY* browser that lets a webpage access and abuse that vulnerable OE component. Opera doesn't. Firefox doesn't. So, the problem is with Internet Explorer and Outlook Express. Microsoft could fix *either* program to solve this issue (though they should fix both).

KPosition




msg:3133689
 10:29 pm on Oct 24, 2006 (gmt 0)

This is a non event. This bug has been apparent for several months.

But that is like saying if someone looks over your shoulder then they could get your pin number at a cash machine.

If someone can post here with real-life experience of this bug affecting them then that would be worth talking about.

As it is you probably have more chance of winning the lottery - but that isn't newsworthy is it.

I am sick of this sort of stuff ending up on the front page of webmasterworld - please someone post an experience of being hacked/spoofed or something similar. Otherwise please choose something else to get news from - this is not it.

DamonHD




msg:3133693
 10:33 pm on Oct 24, 2006 (gmt 0)

That's Brett told, then!

Rgds

Damon

KPosition




msg:3133694
 10:33 pm on Oct 24, 2006 (gmt 0)

By the way the only thing this item has been successful in is getting paranoid webmasters to check their vulnerability.

The other thing I would check is.. the Internet.

Being connected to the Internet may severely affect your security - the fix... don't browse the web, uninstall email software and web browsing software as well just in case they can get you using telepathy. Even better turn off your computer.

Sorry, just joking - but seriously don't panic it isn't a new problem and not one currently being exploited.

[edited by: KPosition at 10:36 pm (utc) on Oct. 24, 2006]

KPosition




msg:3133701
 10:39 pm on Oct 24, 2006 (gmt 0)

DamonHD, I was a bit harsh good point! But I love Brett - he knows that!

He is however very good at putting a spin on the news....

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved