The first IE 7 exploit that wasn't (mhtml URI)

One day after Internet Explorer 7 was released there was a Slashdot story trumpeting that the first IE 7 exploit had been found. What the Slashdot quip didn't say but the link sort of did (hence the common cry of RTFA), is that this is actually an unpatched IE 6 vulnerability. And by IE 6 vulnerability, I mean ActiveX vulnerability. And by ActiveX vulnerability I mean Outlook Express vulnerability…say what?

ISC clarifies that what actually happened here is that this is an old vulnerability that Secunia disclosed earlier in the year in IE/Outlook 5.5-6. Basically Secunia released a new advisory specific to IE7. The vulnerable component is an ActiveX control which is installed with Outlook, and is therefore on all machines by default. The vulnerability itself is rated as "Less Critical" (2/5) and is basically an information disclosure vulnerability. So it just barely made the threshold as being a "Critical" vulnerability (1/5 is "Not Critical" for what that's worth) and thus the first IE 7 vulnerability star was born, but quickly collapsed into a brown dwarf.