Internet Explorer 7 was only released yesterday to the masses, and already there are complaints of security holes. "Of course," you say...what new piece of software doesn't have a few new bugs in it? Well, new bugs would be fine and dandy - but how about some that are at least two versions old?
Exploit tracking and security firm Secunia
has reported that the same mhtml:
redirect bug that has existed since IE5.5 is still alive and well in IE7, and it doesn't seem to be going anywhere quickly. The scam uses an html email to direct the target to a secure site (like a bank) in order to obtain password information.
The bug is not horribly easy to exploit, and hasn't been since its initial discovery. However, when it works, it does so very well - and it has been the crux of quite a few phishing tricks. Secunia classes the threat as "less critical," but the firm is a bit bewildered why it's never been fixed. For an easy solution, the company recommends disabling active scripting in IE.
Microsoft's answer to this is that the bug is not one of Internet Explorer at all, but actually is an exploit designed around the framework loopholes of Outlook Express. Somehow, that makes it all better. On another note, the Secunia website has a test
to see if your browser is secure or not - Firefox is not vulnerable to the exploit.
Have you got a thought on this? Though it's not a critical oversight, does it lead you to wonder what else hasn't been fixed? Or is this just a little thing blown out of proportion? Let us know your thoughts in our forums