Less than 24 hours after its final release, Internet Explorer 7 has been found to be vulnerable to an exploit dating back to November 2003, which was discovered affecting IE6 last April. The issue surrounds Microsoft's handling of MIME HTML resources, security company Secunia said in an advisory.
The vulnerability apparently involves a very simple trick where a call to a MIME HTML, or MHTML, resource can trigger the running of an executable file, even with high-level security settings.
An MHTML resource is a "Web archive" of multiple elements, often including media and sometimes (though not preferably) executable files. Through Microsoft browsers, it's addressed as a single resource with the extension .MHT.
A call placed to an .MHT resource is phrased using an old Microsoft two-part convention, where the location of the resource is separated from its identity with an exclamation point, not unlike similar syntaxes in Excel and earlier versions of Visual Basic.
http://www.betanews.com/article/IE7_Final_Vulnerable_to_Old_Exploit/1161275418
The vulnerability apparently involves a very simple trick where a call to a MIME HTML, or MHTML, resource can trigger the running of an executable file, even with high-level security settings.
An MHTML resource is a "Web archive" of multiple elements, often including media and sometimes (though not preferably) executable files. Through Microsoft browsers, it's addressed as a single resource with the extension .MHT.
A call placed to an .MHT resource is phrased using an old Microsoft two-part convention, where the location of the resource is separated from its identity with an exclamation point, not unlike similar syntaxes in Excel and earlier versions of Visual Basic.
http://www.betanews.com/article/IE7_Final_Vulnerable_to_Old_Exploit/1161275418