UPDATE: Microsoft has responded to the issue, saying the flaw actually lies
in Outlook Express. The company is investigating the situation.
Less than 24 hours after its final release, Internet Explorer 7 has been
found to be vulnerable to an exploit dating back to November 2003, which
was discovered affecting IE6 last April. The issue surrounds Microsoft's
handling of MIME HTML resources, security company Secunia said in an
The vulnerability apparently involves a very simple trick where a call to a
MIME HTML, or MHTML, resource can trigger the running of an executable
file, even with high-level security settings.
An MHTML resource is a "Web archive" of multiple elements, often including
media and sometimes (though not preferably) executable files. Through
Microsoft browsers, it's addressed as a single resource with the extension
A call placed to an .MHT resource is phrased using an old Microsoft
two-part convention, where the location of the resource is separated from
its identity with an exclamation point, not unlike similar syntaxes in
Excel and earlier versions of Visual Basic.
As a researcher discovered in late 2003, Microsoft's default handling of
this two-part convention also works the same way: if the location doesn't
actually exist or cannot be resolved, the interpreter assumes the name of
the resource exists on the local system. Thus, if the identity happens to
be the name of a real executable file, it'll run.
Last April, another researcher informed Secunia that a version of the same
vulnerability continued to plague IE6. At that time, the firm posted a
non-malicious test page, to enable users to see whether their IE browsers
were vulnerable. To this date, Secunia believes the IE6 vulnerability to be
Apparently, the same test conducted on the final IE7 release revealed the
new browser to be similarly vulnerable. Secunia rates this problem as "less
critical," perhaps mainly because this is a trigger mechanism rather than a
full-scale virus or Trojan. Conceivably, however, it could be utilized by
malicious users within a more complete malware setup.