Secunia says it spotted a flaw in IE7 that can be targeted by identity thieves. But Microsoft responds that "the scenario requires that you intentionally not use the security features specifically put in place to help protect against phishing and spoofing attacks."
For the second time in two weeks, Microsoft quarreled with a security company over whether a bug in Internet Explorer 7 was really a bug.
Monday, Danish vulnerability tracker Secunia identified a flaw in IE 7 that can be used by identity thieves to snatch users' passwords as they log in to online bank or credit card accounts. According to Secunia, the bug, first spotted in IE 6, was nearly two years old but had never been patched by Microsoft.
Later on Monday, Microsoft eighty-sixed the idea that the bug was, in fact, a bug. "We investigated [the] claim thoroughly in 2004 [and] found that in all cases, for this to represent a threat for phishing or spoofing attacks, a user would have to decide to trust the authenticity of the page without verifying the page's address and without verifying an SSL connection," said Christopher Budd, security program manager at Microsoft's Security Response Center (MSRC), on the team's blog.
"In other words, the scenario requires that you intentionally not use the security features specifically put in place to help protect against phishing and spoofing attacks. Because of that, we said in 2004 that this issue doesn't represent a security vulnerability as we have defined it," Budd continued.
Secunia's chief technology officer, Thomas Kristensen, took exception. He pointed out that although the spoofing vulnerability affected virtually every Web browser, only Microsoft's Internet Explorer was not patched. Firefox, for instance, was fixed two months after the bug was first reported (by version 1.0.1), as was Opera. Apple's Safari, meanwhile, was patched a month after the flaw was disclosed (in Security Update 2005-001).
"Today, in IE7 this setting has been disabled by default, that is a good thing, but it doesn't work, that is a bad thing!" Kristensen said in an e-mail to TechWeb.
In a blog entry on the Secunia site, Kristensen expanded his criticism. "Today they still say this isn't a vulnerability, despite the fact that they intended to protect users against this in IE7 by disabling the "Navigate sub-frames across different domains" by default.
"Microsoft ought to take responsibility for the bugs, weaknesses, and vulnerabilities in their browser to ensure that it really protects against phishing and similar scam attacks," Kristensen continued. "Isn't this what Microsoft advertises that IE 7 does better than its predecessors?"
Secunia and Microsoft had a similar disagreement two weeks ago after the former pegged IE 7, which had just gone into final release hours before as buggy. Microsoft responded by saying that the vulnerability was not within IE 7, but inside Outlook Express, the for-free e-mail client bundled with Windows XP.
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.