informa
/
1 MIN READ
News

Microsoft Won't Patch IE Spoofing Bug

Hours after word broke that most browsers were vulnerable to a spoofing flaw that phishers could use to pilfer confidential data, Microsoft has declined to issue a security update.
Hours after word broke that most browsers were vulnerable to a spoofing flaw that phishers could use to pilfer confidential data, Microsoft has declined to issue a security update.

In a security advisory posted on its TechNet site, Microsoft acknowledged that its Internet Explorer browser, including the version packaged with Windows XP SP2, could be used to trick people into entering information such as passwords in a bogus dialog box which appears atop a trusted site.

Microsoft published the advisory, it said, "to clarify the risks associated with browser windows without indications of their origins." But it won't release a security update to fix the flaw because it considers the issue a feature, not a bug.

"This is an example of how current standard Web browser functionality could be used in phishing attempts," the advisory went on.

The Redmond, Wash.-based developer told users that fake dialog boxes could be recognized by the lack of an address bar and lock icon. It also pointed users to a pair of sites for additional info on spotting spoofing attacks and protecting PCs.

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing