Secunia is currently arguing with Microsoft over the existence of a vulnerability in the latest version of Internet Explorer.
Security company Secunia is currently arguing with Microsoft over the existence of a vulnerability in the latest version of Internet Explorer. IE7 has only been in the public domain for just over a day.
Secunia yesterday reported that it had discovered a 'less critical' vulnerability in IE7. However, Microsoft has rejected the claims, saying that the flaw actually lies in a component of Outlook Express, its email client.
"The reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express," Christopher Budd, a Microsoft spokesman said on the company's security blog.
Countering this claim, Thomas Kristensen of Secunia said in a statement: "This may be true - from an organisational point of view within Microsoft. However, the vulnerability is fully exploitable via IE, which is the primary attack vector, if not the only attack vector.
"While it may be correct from an organisational (and PR?) point of view within Microsoft, this does not fit into how it is perceived by users and administrators and how they are going to defend against exploitation," Kristensen continued.
It seems that this argument could run and run, though what is certain right now is that there is no fix for the vulnerability yet. Microsoft traditionally sends out patches for flaws in its software and operating systems on the second Tuesday of every month, but it has been known for third-party companies to issue patches as well, though this is uncommon.
Microsoft has also released out-of-cycle patches for vulnerabilities in the recent past, if they have been deemed serious enough. But the fact that Secunia has only given the flaw a 'less critical' rating suggests that no one - probably not even Microsoft - will be in too much of a hurry to provide a patch.
http://www.microsoft.com/security/
http://secunia.com
|  |
Comments
Latest comments
No comments posted. Be the first by posting yours below...