While Microsoft has been celebrating the successful launch of its Internet Explorer 7 web browser, not all has gone entirely to plan, it seems. Just hours after the launch, Secunia reported that a security vulnerability was found in the browser, dampening the spirit somewhat. According to Secunia, the flaw was originally discovered in 2005 and affected IE6, and was also found to be present in the new incarnation of Microsoft’s browser, too.
The reported vulnerability enables malicious users to steal private information and could be useful in a phishing attack scenario. Secunia’s description of the “less critical”-rated problem reads: “the vulnerability is caused due to an error in the handling of redirections for URLs with the ‘mhtml:’ URI handler.” A data leak could occur if a user opened a maliciously crafted website while being logged into a separate, secure site such as an online bank account page.
However, Microsoft has already tried to allay fears about the safety of the new products. According to post on the Microsoft Security Response Center blog the company is aware of the recent reports and can say that the vulnerability itself does not occur in IE7, or any version of IE for that matter. In fact, it is a flaw in a component of Outlook Express, which is currently being investigated.
Parallel to the appearance of reports regarding a vulnerability in the newly launched IE7, a flaw has also been found in Opera (versions 9.0 and 9.01 for Windows and Linux). The Opera flaw was also reported by Secunia, which rated it much higher than the IE problem at “highly critical”, the fourth-highest grade. According to the Danish company, the vulnerability in Opera is caused when the browser attempts to process extremely long URLs, which would cause a heap-based buffer overflow. Attackers would be able to exploit this problem and remotely install and execute malicious code on a victim computer. Secunia recommends users with Opera to upgrade to version 9.02.
