As you probably know by now, Microsoft yesterday released the final version of Internet Explorer 7; if you want to install it on your machine you can download it from http://www.microsoft.com/windows/ie/default.mspx. Microsoft also said that in couple of weeks this will be automatically pushed to all client machines through Windows Update, so if you still haven't tested your mission critical internal web applications with IE7, you better do it now.
Besides news about the final version of IE7, a lot of people are already talking about the first vulnerability for IE7, which was announced yesterday on various security mailing lists. The vulnerability is caused by an error in redirections handling with the "mhtml:" URI handler.
After analyzing this security vulnerability, we have to disappoint you ? it's nothing new. Actually, this vulnerability was announced way back in April this year for Internet Explorer 6 (http://secunia.com/advisories/19738). It is still not patched, so besides IE7, this vulnerability can be exploited in a fully patched IE6 installation as well.
So what's going on here, did Microsoft just used old code? Not really. The vulnerability exists in the MSXML ActiveX component which is actually part of Outlook Express (so it is installed on every machine as well).
The exploit uses a "double" redirection trick ? it will first create an Msxml2.XMLHTTP ActiveX object which is then used to retrieve a web page from the same server that the original web page is hosted on (one containing the exploit). This web page is actually just a redirection (302) which uses a mhtml: URI. This causes the ActiveX object to retrieve any other web page referenced by the mhtml: URI, which can be referenced from the original web page.
In other words, this exploit can be used by an attacker to possibly retrieve other data that your browser has access to. While stealing information like banking data is possible, our testing showed that only content of the web page can be retrieved by the attacker ? they can not steal your credentials and they can not retrieve that data unless you are logged in to your bank account at the same time when you visit the web page hosting the exploit.
It looks like Microsoft once again got caught into "ancient" bugs which were already present on the machine (we do wonder why this hasn't been fixed before though).
One thing worth nothing is that Internet Explorer 7 has a native XMLHTTPRequest object implementation so theoretically it should be possible to disable the ActiveX object, but pages using it would have to be rewritten (hence support for the ActiveX object). Further testing will show if the native support implementation is also vulnerable ? we'll post new information as we get it.
I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Madrid March 2019
Oct 20th 2006
1 decade ago