In a security advisory posted on its TechNet site, Microsoft acknowledged that its Internet Explorer browser, including the version packaged with Windows XP SP2, could be used to trick people into entering information such as passwords in a bogus dialog box which appears atop a trusted site.
Microsoft published the advisory, it said, "to clarify the risks associated with browser windows without indications of their origins." But it won't release a security update to fix the flaw because it considers the issue a feature, not a bug.
"This is an example of how current standard Web browser functionality could be used in phishing attempts," the advisory went on.
The Redmond, Wash.-based developer told users that fake dialog boxes could be recognized by the lack of an address bar and lock icon. It also pointed users to a pair of sites for additional info on spotting spoofing attacks and protecting PCs.