Welcome to WebmasterWorld Guest from 23.20.238.193

Forum Moderators: incrediBILL

Message Too Old, No Replies

IE7 Suffers First Major Security Failure - or does it?

     
4:43 pm on Oct 23, 2006 (gmt 0)

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



[secunia.com...]

A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerability is caused due to an error in the handling of redirections for URLs with the "mhtml:" URI handler. This can be exploited to access documents served from another web site.

4:57 pm on Oct 23, 2006 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



A response from the Microsoft Security Response Center:

These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express.

Microsoft Security Response Center [blogs.technet.com]

5:28 pm on Oct 23, 2006 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Note that IE6 is also a vector according to Secunia, and has been for quite awhile. This does lend some credence to the MS response, but if what they state is true, then Outlook Express needs to be fixed ASAP.

Jim

5:41 pm on Oct 23, 2006 (gmt 0)

10+ Year Member



> [...] and has been for quite awhile. [...] Outlook Express needs to be fixed ASAP.

It's a (publicly-known) six-month-old issue, which means Microsoft needs another year to fix it.

6:10 pm on Oct 23, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I love the Demonstration:

"Your browser is vulnerable! We were able to order a pizza from Papa John's, so that's absolute proof that we could steal confidential data from your bank.

P.S. Sorry we don't actually demonstrate stealing info from your bank, but were totally confident it could happen tomorrow."

I've got bigger worries about my 14-year-old swiping a twenty out of my wallet while I'm in the shower... seems a lot higher priority than wringing my hands over this exploit.

6:14 pm on Oct 23, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



This is quite an old exploit. And not the first time outlook has been a security problem.
6:21 pm on Oct 23, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



then Outlook Express needs to be fixed ASAP.

I would almost swear that the IE blog initally referered to this is as a 3rd party object that is used in outlook express. Looking back at that blog entry now the 3rd party words are gone.

If it was a 3rd party vendor then I'll bet that vendor is feeling some pretty nice heat at the moment. If not then its somewhat interesting to see one MS team point to another team and say "its their bug"... The bug belongs to both teams, that's what happens when the os and the applications are tightly integrated.

6:34 pm on Oct 23, 2006 (gmt 0)

10+ Year Member



There's a reason the software is called Lookout!:

> [...] outlook has been a security problem.

6:43 pm on Oct 23, 2006 (gmt 0)

WebmasterWorld Senior Member jtara is a WebmasterWorld Top Contributor of All Time 5+ Year Member



I ran the test on my machine, and it found IE6 vulnerable.

Thing is, I don't have Outlook installed.

As with many other Windows components, Outlook has it's tentecles deeply embedded.

Now, how to I COMPLETELY remove Outlook?

6:54 pm on Oct 23, 2006 (gmt 0)

WebmasterWorld Senior Member demaestro is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Now, how to I COMPLETELY remove Outlook?

You can't. Somehow like with IE they have been able to show that it is required by the OS.

7:31 pm on Oct 23, 2006 (gmt 0)

10+ Year Member



Shouldn't the last half-dozen learned commentators figure out how to distinguish between Outlook and Outlook Express? They are different apps, with no connection between their code bases, with completely different data storage formats, from different development groups, and even shipped by different divisions of Microsoft. "Outlook Express" is a lightweight (but widely used) component shipped in MS Windows (like IE). "Outlook" is a major mail client (and calendar and life-manager) also for Exchange and webmail shipped as part of MS Office. The only point of connection is the names.
8:38 pm on Oct 23, 2006 (gmt 0)

WebmasterWorld Senior Member jtara is a WebmasterWorld Top Contributor of All Time 5+ Year Member



OK, how do I completely remove Outlook Express?

I don't use it, don't need it, don't want it. And, apparently, it's a security vulnerability to boot.

8:52 pm on Oct 23, 2006 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Control Panel -> Add/Remove Windows Components. Uncheck Outlook Express. Click Next.

Jim

9:30 pm on Oct 23, 2006 (gmt 0)

WebmasterWorld Senior Member jtara is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Control Panel -> Add/Remove Windows Components. Uncheck Outlook Express. Click Next.

Unfortunately, that does not completely remove Outlook Express. Or at least not the component that is causing this vulnerability.

The test for the vulnerability still fails. (Or succeeds, depending on your viewpoint...)

There is a complex manual removal procedure at the Microsoft website. It involves removing a large number of directories and registry keys. A number of spyware/adware removal tools also purport to completely remove Outlook Express.

I've done a bit more poking around, and I think that NEITHER of the characterizations of where the problem really lies (MSIE, Outlook Express) may be correct. I think this is a component further-embedded in Windows. A Symantec write-up on a similar problem suggest that disabling the mhtml handler may adversely affect the help system.

10:09 pm on Oct 23, 2006 (gmt 0)

WebmasterWorld Senior Member demaestro is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Control Panel -> Add/Remove Windows Components. Uncheck Outlook Express. Click Next.


Unfortunately, that does not completely remove Outlook Express. Or at least not the component that is causing this vulnerability.

This won't ever work, you can't uninstall it, just like you can't uninstall IE. The OS requires it for some functionality. Although unistall instructions do exist some of the underlining layers will always be there including the mhtml handler.

[edited by: Demaestro at 10:11 pm (utc) on Oct. 23, 2006]

6:12 am on Oct 24, 2006 (gmt 0)

10+ Year Member



It is a defect in Internet Explorer as well as Outlook Express. Even though the actual bug is within a component of Outlook Express (which is installed by default in Windows), Internet Explorer is the *ONLY* browser that lets a webpage access and abuse that vulnerable OE component. Opera doesn't. Firefox doesn't. So, the problem is with Internet Explorer and Outlook Express. Microsoft could fix *either* program to solve this issue (though they should fix both).
10:29 pm on Oct 24, 2006 (gmt 0)

10+ Year Member



This is a non event. This bug has been apparent for several months.

But that is like saying if someone looks over your shoulder then they could get your pin number at a cash machine.

If someone can post here with real-life experience of this bug affecting them then that would be worth talking about.

As it is you probably have more chance of winning the lottery - but that isn't newsworthy is it.

I am sick of this sort of stuff ending up on the front page of webmasterworld - please someone post an experience of being hacked/spoofed or something similar. Otherwise please choose something else to get news from - this is not it.

10:33 pm on Oct 24, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



That's Brett told, then!

Rgds

Damon

10:33 pm on Oct 24, 2006 (gmt 0)

10+ Year Member



By the way the only thing this item has been successful in is getting paranoid webmasters to check their vulnerability.

The other thing I would check is.. the Internet.

Being connected to the Internet may severely affect your security - the fix... don't browse the web, uninstall email software and web browsing software as well just in case they can get you using telepathy. Even better turn off your computer.

Sorry, just joking - but seriously don't panic it isn't a new problem and not one currently being exploited.

[edited by: KPosition at 10:36 pm (utc) on Oct. 24, 2006]

10:39 pm on Oct 24, 2006 (gmt 0)

10+ Year Member



DamonHD, I was a bit harsh good point! But I love Brett - he knows that!

He is however very good at putting a spin on the news....

 

Featured Threads

Hot Threads This Week

Hot Threads This Month