IE7 Final Vulnerable to Old Exploit
UPDATE: Microsoft has responded to the issue, saying the flaw actually lies in Outlook Express. The company is investigating the situation.
Less than 24 hours after its final release, Internet Explorer 7 has been found to be vulnerable to an exploit dating back to November 2003, which was discovered affecting IE6 last April. The issue surrounds Microsoft's handling of MIME HTML resources, security company Secunia said in an advisory.
The vulnerability apparently involves a very simple trick where a call to a MIME HTML, or MHTML, resource can trigger the running of an executable file, even with high-level security settings.
An MHTML resource is a "Web archive" of multiple elements, often including media and sometimes (though not preferably) executable files. Through Microsoft browsers, it's addressed as a single resource with the extension .MHT.
A call placed to an .MHT resource is phrased using an old Microsoft two-part convention, where the location of the resource is separated from its identity with an exclamation point, not unlike similar syntaxes in Excel and earlier versions of Visual Basic.
As a researcher discovered in late 2003, Microsoft's default handling of this two-part convention also works the same way: if the location doesn't actually exist or cannot be resolved, the interpreter assumes the name of the resource exists on the local system. Thus, if the identity happens to be the name of a real executable file, it'll run.
Last April, another researcher informed Secunia that a version of the same vulnerability continued to plague IE6. At that time, the firm posted a non-malicious test page, to enable users to see whether their IE browsers were vulnerable. To this date, Secunia believes the IE6 vulnerability to be unpatched.
Apparently, the same test conducted on the final IE7 release revealed the new browser to be similarly vulnerable. Secunia rates this problem as "less critical," perhaps mainly because this is a trigger mechanism rather than a full-scale virus or Trojan. Conceivably, however, it could be utilized by malicious users within a more complete malware setup.