Information on New Address Bar Issue



This is Christopher Budd.  We’ve gotten some questions from customers about a new public claim of a spoofing vulnerability affecting IE 7. Because Microsoft had previously determined that this actually isn’t a security vulnerability, there has been some confusion over these new reports.  So, I wanted to take a moment and explain what’s going on here to help people understand the issue.


The newly reported issue is actually a repeat of an issue reported in 2004.  This report highlighted that IE and other browsers are designed to allow sites to load pages in browser windows from other sites. This is actually an important design consideration for many websites, especially line-of-business sites, that re-use windows to provide a consistent customer experience.  However, an example of how this could be used to mislead users would be for an untrusted site to pop-up a browser window over a trusted site.  To make this compelling, the pop-up window would be created without an address-bar. The combination of these events could then be used to add untrusted content to legitimate-looking pop-up windows in a phishing or spoofing attack.


Like we always do, we investigated that claim thoroughly in 2004. We found that in all cases, for this to represent a threat for phishing or spoofing attacks, a user would have to decide to trust the authenticity of the page without verifying the page’s address (because there was no address bar) and without verifying an SSL connection (like we recommend on our website). In other words, the scenario requires that you intentionally not use the security features specifically put in place to help protect against phishing and spoofing attacks. Because of that, we said in 2004 that this issue doesn’t represent a security vulnerability as we have defined it on our website.


Now, that said, we take all reports seriously even when they’re not security vulnerabilities. In this case, we did look at the scenario in question and asked ourselves what we could do to help improve our anti-phishing and anti-spoofing features so that customers can better protect themselves. We decided that one thing we could do was to add a feature to IE 7 where it always shows the actual URL of the web page, even in pop-up windows. So we added a pop-up window address bar, enabling users to more accurately make a trust decision.


In fact, there is a test page as part of this claim and if you look at the page using IE7 you can see the actual URL of the page in the pop-up window.


They key thing is that what we said about the issue in 2004 still applies: that you should never decide to trust a web page without first verifying both the address of the web page and an SSL connection.


I hope this helps to explain and clarify the issue.

Thank you.



*This posting is provided “AS IS” with no warranties, and confers no rights.*