Address Redirection Cause of IE7 Issue

9 Comments

In a test conducted by BetaNews on a fresh installation of the release version of Internet Explorer 7, on a "clean" environment set up within Virtual PC 2004, the browser failed the MHTML content retrieval test. The issue involves redirecting the Web browser to a local resource.

In examining the source code of Secunia's page, we found that a JavaScript function first generates a resource location using pieces of strings, plus a randomly generated number as a throw-away parameter. The location points to a page that apparently triggers an HTTP 302 signal, purportedly that the site location has been rerouted.

The problem occurs when the browser -- or some other component of the Web browsing process -- takes the address of the rerouting for granted. With recent versions of IE, including IE7 in our test, the browser pulls up the alternate address regardless of what it contains.

In Secunia's innocuous test, the browser appears to open up the source code for Google News. However, the call to Google News was placed locally, meaning the redirection successfully forced the browser to parse a local resource request. It could conceivably just as easily have placed a request to execute a program locally.

In our tests, Firefox 1.5 successfully squelched the redirection call to a local resource.

Yesterday, as we reported, Microsoft stated that the vulnerable component was actually attributable to Outlook Express, not Internet Explorer. Back in 2003, when the vulnerability was first discovered, Microsoft did direct users to download Outlook Express patches, although those patches may have successfully shut off the accessibility for that vulnerability through OE, rather than change the redirection function itself.

This evidence indicates that the source of the vulnerability is probably deeper than both OE and IE. As SecurityFocus noted in its first 2003 reports of a vulnerability affecting Outlook Express, Microsoft initially -- and perhaps ironically -- offered explanations that tried to shift at least some of the blame to Internet Explorer.

Microsoft said Thursday it is investigating the issue, and plans to provide further guidance to customers.

IE7 Vulnerability
9 Comments

9 Responses to Address Redirection Cause of IE7 Issue

Got News? Contact Us

Recent Headlines

Overcoming real-time data integration challenges to optimize for surgical capacity and better care

From Windows XP to Windows 10 -- How Microsoft's end-of-life nag screens have changed

Pour one out for the Linux homies: Fedora 40 released

Phishing attacks up 60 percent driven by AI

Samsung begins mass production of 1Tb 9th-Gen V-NAND

Get 'Coding with AI For Dummies' (worth $18) for FREE

Meta introduces Horizon OS

Most Commented Stories

Say goodbye to Microsoft Windows 11 and hello to Nitrux Linux 3.4.0 'pl'

62 Comments

The stunning Windows 13 -- yes, 13! -- is the Microsoft operating system we want

20 Comments

Windows 11 slammed for its 'comically bad' performance even on high-end hardware

18 Comments

Outrageous: Microsoft to charge $61 for Windows 10 updates -- consider switching to Linux!

17 Comments

Microsoft is up to its old tricks yet again -- Windows 10 users harassed with full-screen Windows 11 upgrade warnings

16 Comments

Microsoft 'improves' Windows 11 by bringing ads to the Start menu in the US

16 Comments

Microsoft releases preview version of Office 2024 for Windows and macOS -- download it now!

12 Comments

Easter giveaway! Get a licensed copy of 'VideoProc Converter for Windows/Mac' (worth $78.90) for FREE

10 Comments

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.