Monday, Danish vulnerability tracker Secunia identified a flaw in IE 7 that can be used by identity thieves to snatch users' passwords as they log in to online bank or credit card accounts. According to Secunia, the bug, first spotted in IE 6, was nearly two years old but had never been patched by Microsoft.
Later on Monday, Microsoft eighty-sixed the idea that the bug was, in fact, a bug. "We investigated [the] claim thoroughly in 2004 [and] found that in all cases, for this to represent a threat for phishing or spoofing attacks, a user would have to decide to trust the authenticity of the page without verifying the page's address and without verifying an SSL connection," said Christopher Budd, security program manager at Microsoft's Security Response Center (MSRC), on the team's blog.
"In other words, the scenario requires that you intentionally not use the security features specifically put in place to help protect against phishing and spoofing attacks. Because of that, we said in 2004 that this issue doesn't represent a security vulnerability as we have defined it," Budd continued.
Secunia's chief technology officer, Thomas Kristensen, took exception. He pointed out that although the spoofing vulnerability affected virtually every Web browser, only Microsoft's Internet Explorer was not patched. Firefox, for instance, was fixed two months after the bug was first reported (by version 1.0.1), as was Opera. Apple's Safari, meanwhile, was patched a month after the flaw was disclosed (in Security Update 2005-001).
When the spoofing vulnerability appeared in December 2004, IE 6 users were advised to disable the "Navigate sub-frames across different domains" option in the browser's security settings.
"Today, in IE7 this setting has been disabled by default, that is a good thing, but it doesn't work, that is a bad thing!" Kristensen said in an e-mail to TechWeb.
In a blog entry on the Secunia site, Kristensen expanded his criticism. "Today they still say this isn't a vulnerability, despite the fact that they intended to protect users against this in IE7 by disabling the "Navigate sub-frames across different domains" by default.
"Microsoft ought to take responsibility for the bugs, weaknesses, and vulnerabilities in their browser to ensure that it really protects against phishing and similar scam attacks," Kristensen continued. "Isn't this what Microsoft advertises that IE 7 does better than its predecessors?"
Secunia and Microsoft had a similar disagreement two weeks ago after the former pegged IE 7, which had just gone into final release hours before as buggy. Microsoft responded by saying that the vulnerability was not within IE 7, but inside Outlook Express, the for-free e-mail client bundled with Windows XP.