It seems that Microsoft's brand-new Internet Explorer 7 browser, which was just released Oct. 18 for Windows XP, has already failed a security test.

An advisory from Secunia, released Oct. 19, says the gold version of IE 7 was shipped with an information disclosure flaw that could be used in spoofing attacks.

The vulnerability is caused by an error in the handling of redirections for URLs with the "mhtml:" URI handler. "This can be exploited to access documents served from another web site," Secunia warned.

Secunia has a test page available that demonstrates the bug on a fully patched version of Windows XP SP2, running Internet Explorer 7.

Secunia first raised an alert for this vulnerability in April 2006, but it was never fixed in IE 6 and was largely ignored in IE 7.

While it is nearly impossible to exploit this flaw to launch a spoofing or phishing attack, as an attacker would first have to lure an IE user to a fake Web site and know for sure which other secure site might be open in an IE tab in the same browser session, it is strange that Redmond allowed this to slip through.

The blogs are buzzing with different takes on the "why, what and how" behind the vulnerability, with some speculating that heads will roll in Redmond over it.