22 October 2006
Is it IE7 or Outlook Express that is vulnerable or does it matter?
Earlier this week Secunia announced that Internet Explorer 7 was affected by an MHTML redirection exploit that was found in IE 6 as early as 2003.
Microsoft has responded by saying that it is an exploit that affects Outlook Express and is not a vulnerability in any version of Internet Explorer.
To this statement Secunia responded by saying that the vulnerability is fully exploitable from Internet Explorer and that IE was the primary and possibly only way of exploiting the vulnerability. Secunia does acknowledge that the actual vulnerability may be in Outlook Express, but still stand behind the alert being for IE stating that it is deceiving to users to not say that IE is vulnerable when that is the application being used to exploit the vulnerability.
For a vulnerability that has been around since 2003, one would think that Microsoft would be more interested in patching the vulnerability rather than bickering over which application is vulnerable and which is at fault. If IE is how the vulnerability is being exploited then IE should be patched to prevent the exploit from working on Outlook Express or Outlook Express should be patched to eliminate the vulnerability. Both applications are at fault. The solution could be made in either place and should be made instead of trying to point the finger at other applications. The average user doesn't care exactly which program is vulnerable, they just want to have a fairly secure computer and not worry about viruses or other malicious activities. When there is a problem it doesn't matter which application it is, what matters is that it is fixed.
Microsoft has responded by saying that it is an exploit that affects Outlook Express and is not a vulnerability in any version of Internet Explorer.
To this statement Secunia responded by saying that the vulnerability is fully exploitable from Internet Explorer and that IE was the primary and possibly only way of exploiting the vulnerability. Secunia does acknowledge that the actual vulnerability may be in Outlook Express, but still stand behind the alert being for IE stating that it is deceiving to users to not say that IE is vulnerable when that is the application being used to exploit the vulnerability.
For a vulnerability that has been around since 2003, one would think that Microsoft would be more interested in patching the vulnerability rather than bickering over which application is vulnerable and which is at fault. If IE is how the vulnerability is being exploited then IE should be patched to prevent the exploit from working on Outlook Express or Outlook Express should be patched to eliminate the vulnerability. Both applications are at fault. The solution could be made in either place and should be made instead of trying to point the finger at other applications. The average user doesn't care exactly which program is vulnerable, they just want to have a fairly secure computer and not worry about viruses or other malicious activities. When there is a problem it doesn't matter which application it is, what matters is that it is fixed.
Labels: IE, microsoft, outlook, vulnerability, windows
