Thursday, October 19, 2006

IE7 -- "Bits from Bill" and Other Internet Explorer 7 News

There will be a lot of information available on the newly relased Internet Explorer 7 over the coming weeks. I will do my best to consolidate key information here in the Security Garden.

Included at the bottom of this posting are a number of references that you may find helpful.

  • WinPatrol Notes
Bill Pytlovany installed IE7 on his WinPatrol studio computers. For information on the changes you need be alerted to and information from the WinPatrol Plus database see "Bits from Bill: IE7 changes include IEFrame.dll". I suspect we will get further updates in "Bits from Bill".

  • IE 7 First Run Screen
Microsoft MVP Sandi Hardmeier documented what needs to be done if you experience problems with "The new Internet Explorer first run screen". Also keep an eye on Sandi's website, IE-Vista for help in learning about and using the new features in IE7.

  • First IE7 Advisory Issued and Refuted
Although not critical, Secunia issued Advisory 22477 described as follows:
"A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerability is caused due to an error in the handling of redirections for URLs with the "mhtml:" URI handler. This can be exploited to access documents served from another web site.

Secunia has constructed a test, which is available at: Secunia

Secunia has confirmed the vulnerability on a fully patched system with Internet Explorer 7.0 and Microsoft Windows XP SP2. Other versions may also be affected."
Secunia's recommended work-around is to disable active scripting support. Microsoft Security Response Center has addressed this indicating:
"These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express."
  • IE7 Phishing Filter
One thing is certain, the IE7 phishing filter cannot come too soon. Note, however, that it is not turned on by default. (See IE-Vista Phishing Filter for instructions and information on how the Phishing Filter works.) The Register reported yesterday that a "Trojan download site spoofs IE7 release outlet":
"Hackers have created a bogus Internet Explorer 7 download site that attempts to load Trojan code onto the PCs of visiting surfers.

Traffic to the malicious website is being driven by a spoofed email message, claiming to be from, offering a link to download Release Candidate 1 (RC1) of Microsoft Internet Explorer 7."
  • Automatic Updates
As pointed out several times, Internet Explorer 7 will be delivered via Automatic Updates. However, it was with relief when reading reading Canuk's CyberNews4You update on Internet Explorer 7, that I followed a link to Tech Web and happily learned the following:
"The IE 7 update will also not add to the burden of Microsoft's monthly security patch delivery, scheduled for Nov. 14, promised Cobb. 'We won't do it on Patch Tuesday.'"
That in itself is a relief for the 40 percent or so of Americans who are still using a dial-up connection! However, that is not to say that IE7 may be delivered to your computer earlier. As we are reminded in the IE Blog,
"To help you become more secure and up-to-date, we will distribute IE7 via Automatic Updates as a high-priority update. We will start very soon with those of you who are already running IE7 pre-releases and then move onto IE6 users after a few weeks. We will progressively roll out to all IE6 users over a few months, so don’t be surprised if you don’t see the update right away."
  • IE7 Support
The other good news I learned from the Tech Web article is that Microsoft will be establishing toll-free telephone support for IE 7:
"Beginning Thursday, Microsoft will open a free, toll-free support line for IE 7. The help desk will be manned Monday through Friday 5 a.m. to 9 p.m. PDT, and on weekends from 6 a.m. to 3 p.m. PDT."
See Time and Date for converting PDT time to your local time zone.

  • References
IE Blog
Internet Explorer 7 Home
Internet Explorer 7 Support
Internet Explorer 7 Community
IE7 Quick Reference Sheet
IE7 Release Notes
Information Index for IE7
The Microsoft Internet Explorer Developer Center

No comments: