Address Redirection Cause of IE7 Issue
In a test conducted by BetaNews on a fresh installation of the release version of Internet Explorer 7, on a "clean" environment set up within Virtual PC 2004, the browser failed the MHTML content retrieval test. The issue involves redirecting the Web browser to a local resource.
In examining the source code of Secunia's page, we found that a JavaScript function first generates a resource location using pieces of strings, plus a randomly generated number as a throw-away parameter. The location points to a page that apparently triggers an HTTP 302 signal, purportedly that the site location has been rerouted.
The problem occurs when the browser -- or some other component of the Web browsing process -- takes the address of the rerouting for granted. With recent versions of IE, including IE7 in our test, the browser pulls up the alternate address regardless of what it contains.
In Secunia's innocuous test, the browser appears to open up the source code for Google News. However, the call to Google News was placed locally, meaning the redirection successfully forced the browser to parse a local resource request. It could conceivably just as easily have placed a request to execute a program locally.
In our tests, Firefox 1.5 successfully squelched the redirection call to a local resource.
Yesterday, as we reported, Microsoft stated that the vulnerable component was actually attributable to Outlook Express, not Internet Explorer. Back in 2003, when the vulnerability was first discovered, Microsoft did direct users to download Outlook Express patches, although those patches may have successfully shut off the accessibility for that vulnerability through OE, rather than change the redirection function itself.
This evidence indicates that the source of the vulnerability is probably deeper than both OE and IE. As SecurityFocus noted in its first 2003 reports of a vulnerability affecting Outlook Express, Microsoft initially -- and perhaps ironically -- offered explanations that tried to shift at least some of the blame to Internet Explorer.
Microsoft said Thursday it is investigating the issue, and plans to provide further guidance to customers.