IE 7 Fails Its First Security Test

but it seems that Microsoft's brand-new Internet Explorer 7 browser, which was just released Oct. 18 for Windows XP, has already failed a security test.

Microsoft's spanking-new Internet Explorer 7 browser has failed already failed a security test.

According to an advisory from Secunia, the gold version of IE 7 was shipped with an information disclosure flaw that could be used in spoofing attacks. The vulnerability is due to an error in the handling of redirections for URLs with the "mhtml:" URI handler.

"This can be exploited to access documents served from another web site," Secunia warned.

Here is a test page that demonstrates the bug on a fully patched version of Windows XP SP2, running Internet Explorer 7.

Curiously, Secunia first raised an alert for this vulnerability in April 2006. It was never fixed in IE 6 and ignored again in IE 7.

In fairness to Microsoft, it is nearly impossible to exploit this flaw to launch a spoofing or phishing attack. An attacker would first have to lure an IE user to a fake Web site and know for sure which other secure site might be open in an IE tab in the same browser session.

Still, it's strange that Redmond allowed this to slip through the cracks in what is largely a security-centric browser makeover.

UPDATE: Microsoft offers a somewhat dismissive response that this is not an IE vulnerability:

"These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express.

While we are aware that the issue has been publicly disclosed, we’re not aware of it being used in any attacks against customers.

We do have this under investigation and are monitoring the situation closely and we’ll take appropriate action to protect our customers once we’ve completed the investigation.