Microsoft: SP2 download flaw is social engineering

NEWS

Microsoft has said it will take "appropriate action" to fix a problem in Internet Explorer and Windows XP SP2 that allows a malicious website to bypass the browser's warnings about downloading potentially harmful content.

The problem was first reported to Microsoft on 15 November by security company Finjan. At the time, Microsoft said Finjan's security advisory was "misleading and possibly erroneous". On Monday, French website K-otik published exploit codes that could take advantage of the same vulnerability.

On Tuesday, a Microsoft spokesperson said that the company still believes the claims are misleading because "significant user interaction and user interface steps have to occur before any malicious code can be executed".

However, the software giant did admit that it was possible to bypass the security warnings in IE - even when using Windows XP with Service Pack 2.

"Microsoft is investigating this method of bypassing the Internet Explorer download warning and will take appropriate action to cover this scenario in order for customers to be properly advised that executables downloaded from the Internet can be malicious in nature," the spokesperson said.

The spokesperson acknowledged that if the file was saved in the start-up folder, it would automatically run the next time the user restarted their computer.

"The user must go to the folder containing that executable and choose to run it, or log off and log back onto the computer if the attacker attempted to save the malicious executable into the user's Windows Startup folder," the spokesperson said.

However, the spokesperson said the problem was not a security vulnerability but actually a clever use of social engineering.

"It is important to note that this is not the exploitation of a security vulnerability, but an attempt by an attacker to use social engineering to convince a user to save an executable file on the hard drive without first receiving the Internet Explorer download warning," the spokesperson said.

Security experts disagree with Microsoft on this point.

Sean Richmond, senior technology consultant at antivirus firm Sophos Australia, agreed that the exploit would require some user interaction but said this was definitely bypassing a security feature in IE and SP2.

"This is certainly something that is bypassing some of the security features that are meant to be there. It is a way of bypassing the dialogues in IE. It will result in the [malicious] file being saved on the user's computer," said Richmond, who added that the matter would be worse if that file could be saved in a computer’s start-up folder.

Richard Starnes, an information security professional with around 20 years experience in information security, incident response and computer crime investigation, said that legislation could be used to force Microsoft - and other software developers - to improve their code and take financial responsibility for their customers' losses.

"I wonder how solid Microsoft's coding would become if strategic governments around the world removed the liability shield that software manufactures now currently enjoy. They would then have some real financial incentive to get it right the first time, instead of this Computer Science 101 coding they are continually churning out," said Starnes.

Starnes believes the quality of software development has fallen in the past two decades.

"Most commercial releases of software today wouldn't have made it out of beta 20 years ago," he added.

Munir Kotadia writes for ZDNet Australia.