Microsoft debates spoofing as security flaw
Microsoft rejects claims from security researchers that a spoofing technique discovered on Internet Explorer is a vulnerability.
The software giant did accept the possibility that spoofing could occur on version 6 of IE but rejected claims that this is a security flaw.
Spoofing is a way of making people think they are visiting their chosen Web site when they are in fact looking at a "spoofed" site. Spoofing techniques are frequently used in phishing scams--e-mails that attempt to steal personal information by purporting to be from legitimate groups.
In an e-mail statement, the company said: "Microsoft is aware of a security issue reported last week that could allow spoofing the URL a user sees in Internet Explorer's status bar. Users could see a URL in the status bar when the mouse hovers over the link on a Web page, but clicking the link would take the user to a different URL. Our investigation has indicated that this is not a security vulnerability."
Benjamin Tobias Franz, a researcher in Germany, posted warnings last week on the online bulletin board Bugtraq, stating that Internet Explorer could spoof links if perpetrators put two URLs and a table inside an HTML href tag.
The result, Franz asserted, is that malformed links to URLs could take people to an entirely different Web site without their knowledge.
But Microsoft said a large amount of social engineering would need to take place if victims were to fall for such attacks.
"An attacker would need to entice a user to visit a site and then entice the user to click a link on that site based on the URL that appears in the Internet Explorer status bar," Microsoft's statement said. "Once on the destination site, the user would need to be enticed by the attacker to take some action, such as disclosing confidential financial information, without the user noticing that the URL in the address bar does not match the URL that the user thought he (or) she was visiting."
The company advised people to check that the URL in the browser address bar was the intended destination before going to the site. Franz and Microsoft agreed that Windows XP Service Pack 2 is unaffected by the issue.
Microsoft added that it "will evaluate the feasibility of implementing similar changes on earlier versions of Windows in the future."
On Bugtraq, Franz said HTML e-mail messages were vulnerable to the technique, so Microsoft Outlook Express is also affected. Franz wrote that people should right-click on links to check their real destination.
People who use Mozilla's Firefox are not affected by the issue, according to security firm Netcraft.