MS: Ability to Co-opt Pop-ups a 'Design Consideration'
The ability for a Web page to wrest control of the source of content for a pop-up browser window that appears beside it, is not a design flaw or vulnerability in Internet Explorer 7, as security services firm Secunia stated yesterday, but instead "an important design consideration...to provide a consistent customer experience," according to a statement from Microsoft security spokesperson Christopher Budd.
"Because Microsoft had previously determined that this actually isn't a security vulnerability," Budd writes, "there has been some confusion over these new reports." Browsers, he said, are designed with the capability for pages to pop up windows beside them, and direct them to reload their content from specific sources.
"This is actually an important design consideration for many Web sites, especially line-of-business sites, that re-use windows to provide a consistent customer experience," reads Budd's statement. "However, an example of how this could be used to mislead users would be for an untrusted site to pop up a browser window over a trusted site. To make this compelling, the pop-up window would be created without an address bar. The combination of these events could then be used to add untrusted content to legitimate looking pop-up windows in a phishing or spoofing attack."
Yesterday, Secunia posted a security advisory alerting users to what it claimed to be a vulnerability affecting IE7. If two browser windows are open, and the second one generates a pop-up window, the first is capable of directing content to that window. Secunia posted a link to a test enabling users to discover the vulnerability for themselves.
As Secunia's window wrested control of a pop-up generated by USAToday.com, its message to users read, "This page could easily have contained malicious information spoofed as being from USA Today, asking you to install programs or disclose sensitive information such as credit card details."
Microsoft, Budd writes, started wrestling with this issue in 2004. At that time, Budd said, Microsoft decided that for a malicious site to misrepresent a page in this way, the pop-up window would have to hide its address bar, so that the user would not be able to specifically see that the content comes from a different site.
"We found that in all cases," he posts, "for this to represent a threat for phishing or spoofing attacks, a user would have to decide to trust the authenticity of the page without verifying the page's address (because there was no address bar) and without verifying an SSL connection."
In his company's response to Microsoft, Secunia CTO Thomas Kristensen states that six browser manufacturers, including Firefox, Netscape, and Opera, all addressed the same co-opting capability in 2004 and released a fix for it. But as BetaNews discovered in its own test yesterday, the vulnerability continues to impact Firefox versions 1.5 and 2.0, as well as IE6; and that at least one installation of IE7 we've witnessed is immune to the vulnerability, for reasons we're still working to discover.
Also, with regard to the vulnerable IE7 installation we tested, we noted the URL of the content which wrests control of USAToday's pop-up in the Secunia test, does show prominently at the top of the window.
Still, as Kristensen counter-argued for his company blog today, "If this 'functionality' is required, then the setting to allow this dangerous interaction between different windows and pop-ups can easily be enabled on a per-site basis, or for sites which are trusted. We believe that Microsoft ought to take responsibility for the bugs, weaknesses, and vulnerabilities in their browser, to ensure that it really protects against phishing and similar scam attacks." Kristensen makes no claim of the vulnerability's effectiveness in competitive browsers.