Tuesday, October 31, 2006

Microsoft and Secunia at it again. And FF 2 too affected?

It seems that Microsoft and Secunia is at it again. This is the second debate between the security company and Microsoft since the launch of Internet explorer 7. The first one was the for the mhtml re-direction information disclosure security flaw when Microsoft said it was a outlook express problem and Secunia pinning it on Explorer 7 saying since the browser paves way for it, it has to be held reponsible. Read about it here.

And now with the latest threat, the window injection security flaw they are at it again. Secunia says that it is a
vulnerability and that Firefox and Opera treated it as a vulnerability and already patched it within two months of this being reported in 2004 but Microsoft just didn't treat it as one and left it upatched and let it continue in explorer 7.

In the Microsoft Security Response blog they say that it is not a vulnerability. This is an excerpt from their response in the blog:-
"Like we always do, we investigated that claim thoroughly in 2004. We found that in all cases, for this to represent a threat for phishing or spoofing attacks, a user would have to decide to trust the authenticity of the page without verifying the page’s address (because there was no address bar) and without verifying an SSL connection (like we recommend on our website).

In other words, the scenario requires that you intentionally not use the security features specifically put in place to help protect against phishing and spoofing attacks. Because of that, we said in 2004 that this issue doesn’t represent a security vulnerability as we have defined it on our website.

Now, that said, we take all reports seriously even when they’re not security vulnerabilities. In this case, we did look at the scenario in question and asked ourselves what we could do to help improve our anti-phishing and anti-spoofing features so that customers can better protect themselves. We decided that one thing we could do was to add a feature to IE 7 where it always shows the actual URL of the web page, even in pop-up windows. So we added a pop-up window address bar, enabling users to more accurately make a trust decision."

Secunia's response to this was "Today, in 2006 they (Microsoft) still say this isn't a vulnerability - despite the fact that they intended to protect users against this in IE7 by disabling the "Navigate sub-frames across different domains" "functionality" by default."

Secunia has given anillustration on how the latest security flaw (window injection vulnerability) can be misused by a malicious site and why it treats it as a security flaw and how even the newly added and
always visible address bar in Internet explorer 7 does not mitigate this.

Now what I wonder is when Secunia says that Firefox and Opera took care of this issue within two months of this security flaw reported across multiple browsers way back in 2004 why only Microsoft has dealt with it in a different way. May be like they say they don't consider this as a security flaw or vulnerability.

And yesterday I read on Betanews that Firefox 2 has also been detected with the same security flaw. When it has been said that both Opera and Firefox took care of this issue way back then how come it has cropped up again in Firefox 2. Betanews says they conducted some tests on Firefox 2 too and it has some issues with this.

So far I have not seen Mozilla saying anything about this officially. I would like to know from Betanews that whether they got any response from Firefox 2. I have already posted about this in the mozilla forum. May be we can get an answer there.