News
News
10/31/2006
05:01 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Microsoft Again Argues Over IE7 Bug

Secunia says it spotted a flaw in IE7 that can be targeted by identity thieves. But Microsoft responds that "the scenario requires that you intentionally not use the security features specifically put in place to help protect against phishing and spoofing attacks."

For the second time in two weeks, Microsoft quarreled with a security company over whether a bug in Internet Explorer 7 was really a bug.

Monday, Danish vulnerability tracker Secunia identified a flaw in IE 7 that can be used by identity thieves to snatch users' passwords as they log in to online bank or credit card accounts. According to Secunia, the bug, first spotted in IE 6, was nearly two years old but had never been patched by Microsoft.

Later on Monday, Microsoft eighty-sixed the idea that the bug was, in fact, a bug. "We investigated [the] claim thoroughly in 2004 [and] found that in all cases, for this to represent a threat for phishing or spoofing attacks, a user would have to decide to trust the authenticity of the page without verifying the page's address and without verifying an SSL connection," said Christopher Budd, security program manager at Microsoft's Security Response Center (MSRC), on the team's blog.

"In other words, the scenario requires that you intentionally not use the security features specifically put in place to help protect against phishing and spoofing attacks. Because of that, we said in 2004 that this issue doesn't represent a security vulnerability as we have defined it," Budd continued.

Secunia's chief technology officer, Thomas Kristensen, took exception. He pointed out that although the spoofing vulnerability affected virtually every Web browser, only Microsoft's Internet Explorer was not patched. Firefox, for instance, was fixed two months after the bug was first reported (by version 1.0.1), as was Opera. Apple's Safari, meanwhile, was patched a month after the flaw was disclosed (in Security Update 2005-001).

When the spoofing vulnerability appeared in December 2004, IE 6 users were advised to disable the "Navigate sub-frames across different domains" option in the browser's security settings.

"Today, in IE7 this setting has been disabled by default, that is a good thing, but it doesn't work, that is a bad thing!" Kristensen said in an e-mail to TechWeb.

In a blog entry on the Secunia site, Kristensen expanded his criticism. "Today they still say this isn't a vulnerability, despite the fact that they intended to protect users against this in IE7 by disabling the "Navigate sub-frames across different domains" by default.

"Microsoft ought to take responsibility for the bugs, weaknesses, and vulnerabilities in their browser to ensure that it really protects against phishing and similar scam attacks," Kristensen continued. "Isn't this what Microsoft advertises that IE 7 does better than its predecessors?"

Secunia and Microsoft had a similar disagreement two weeks ago after the former pegged IE 7, which had just gone into final release hours before as buggy. Microsoft responded by saying that the vulnerability was not within IE 7, but inside Outlook Express, the for-free e-mail client bundled with Windows XP.

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.