Secunia says it spotted a flaw in IE7 that can be targeted by identity thieves. But Microsoft responds that "the scenario requires that you intentionally not use the security features specifically put in place to help protect against phishing and spoofing attacks."
For the second time in two weeks, Microsoft quarreled with a security company over whether a bug in Internet Explorer 7 was really a bug.
Monday, Danish vulnerability tracker Secunia identified a flaw in IE 7 that can be used by identity thieves to snatch users' passwords as they log in to online bank or credit card accounts. According to Secunia, the bug, first spotted in IE 6, was nearly two years old but had never been patched by Microsoft.
Later on Monday, Microsoft eighty-sixed the idea that the bug was, in fact, a bug. "We investigated [the] claim thoroughly in 2004 [and] found that in all cases, for this to represent a threat for phishing or spoofing attacks, a user would have to decide to trust the authenticity of the page without verifying the page's address and without verifying an SSL connection," said Christopher Budd, security program manager at Microsoft's Security Response Center (MSRC), on the team's blog.
"In other words, the scenario requires that you intentionally not use the security features specifically put in place to help protect against phishing and spoofing attacks. Because of that, we said in 2004 that this issue doesn't represent a security vulnerability as we have defined it," Budd continued.
Secunia's chief technology officer, Thomas Kristensen, took exception. He pointed out that although the spoofing vulnerability affected virtually every Web browser, only Microsoft's Internet Explorer was not patched. Firefox, for instance, was fixed two months after the bug was first reported (by version 1.0.1), as was Opera. Apple's Safari, meanwhile, was patched a month after the flaw was disclosed (in Security Update 2005-001).
"Today, in IE7 this setting has been disabled by default, that is a good thing, but it doesn't work, that is a bad thing!" Kristensen said in an e-mail to TechWeb.
In a blog entry on the Secunia site, Kristensen expanded his criticism. "Today they still say this isn't a vulnerability, despite the fact that they intended to protect users against this in IE7 by disabling the "Navigate sub-frames across different domains" by default.
"Microsoft ought to take responsibility for the bugs, weaknesses, and vulnerabilities in their browser to ensure that it really protects against phishing and similar scam attacks," Kristensen continued. "Isn't this what Microsoft advertises that IE 7 does better than its predecessors?"
Secunia and Microsoft had a similar disagreement two weeks ago after the former pegged IE 7, which had just gone into final release hours before as buggy. Microsoft responded by saying that the vulnerability was not within IE 7, but inside Outlook Express, the for-free e-mail client bundled with Windows XP.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.