Microsoft Again Argues Over IE7 Bug - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
News
10/31/2006
05:01 PM
50%
50%

Microsoft Again Argues Over IE7 Bug

Secunia says it spotted a flaw in IE7 that can be targeted by identity thieves. But Microsoft responds that "the scenario requires that you intentionally not use the security features specifically put in place to help protect against phishing and spoofing attacks."

For the second time in two weeks, Microsoft quarreled with a security company over whether a bug in Internet Explorer 7 was really a bug.

Monday, Danish vulnerability tracker Secunia identified a flaw in IE 7 that can be used by identity thieves to snatch users' passwords as they log in to online bank or credit card accounts. According to Secunia, the bug, first spotted in IE 6, was nearly two years old but had never been patched by Microsoft.

Later on Monday, Microsoft eighty-sixed the idea that the bug was, in fact, a bug. "We investigated [the] claim thoroughly in 2004 [and] found that in all cases, for this to represent a threat for phishing or spoofing attacks, a user would have to decide to trust the authenticity of the page without verifying the page's address and without verifying an SSL connection," said Christopher Budd, security program manager at Microsoft's Security Response Center (MSRC), on the team's blog.

"In other words, the scenario requires that you intentionally not use the security features specifically put in place to help protect against phishing and spoofing attacks. Because of that, we said in 2004 that this issue doesn't represent a security vulnerability as we have defined it," Budd continued.

Secunia's chief technology officer, Thomas Kristensen, took exception. He pointed out that although the spoofing vulnerability affected virtually every Web browser, only Microsoft's Internet Explorer was not patched. Firefox, for instance, was fixed two months after the bug was first reported (by version 1.0.1), as was Opera. Apple's Safari, meanwhile, was patched a month after the flaw was disclosed (in Security Update 2005-001).

When the spoofing vulnerability appeared in December 2004, IE 6 users were advised to disable the "Navigate sub-frames across different domains" option in the browser's security settings.

"Today, in IE7 this setting has been disabled by default, that is a good thing, but it doesn't work, that is a bad thing!" Kristensen said in an e-mail to TechWeb.

In a blog entry on the Secunia site, Kristensen expanded his criticism. "Today they still say this isn't a vulnerability, despite the fact that they intended to protect users against this in IE7 by disabling the "Navigate sub-frames across different domains" by default.

"Microsoft ought to take responsibility for the bugs, weaknesses, and vulnerabilities in their browser to ensure that it really protects against phishing and similar scam attacks," Kristensen continued. "Isn't this what Microsoft advertises that IE 7 does better than its predecessors?"

Secunia and Microsoft had a similar disagreement two weeks ago after the former pegged IE 7, which had just gone into final release hours before as buggy. Microsoft responded by saying that the vulnerability was not within IE 7, but inside Outlook Express, the for-free e-mail client bundled with Windows XP.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Slideshows
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Commentary
Preparing for the Upcoming Quantum Computing Revolution
John Edwards, Technology Journalist & Author,  6/3/2021
News
How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
Register for InformationWeek Newsletters
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll