August 23rd, 2004
IE flaw under SP2: User's problem or Microsoft's?
A security researcher has turned up another problem with Internet Explorer that paves the way for malicious code to sneak by all that Microsoft’s Service Pack 2 for Windows XP has to offer (from a security perspective), store itself on a hard drive, and install itself the next time a system boots up. But the exploit (and Microsoft’s response to it) raises questions about how far Microsoft must go to keep users from being their worst enemies. Unlike worms which may wriggle their way into systems with no involvement from end-users, this exploit depends on a Web site’s ability to turn a user into a willing participant in the infection process by dragging and dropping an object from one part of a Web page to another.
Microsoft said the issue did not pose a serious risk to users because it requires an attacker to trick people into visiting a Web site and taking some action at the site. As digital security evolves and improves, hackers will turn more and more to seducing users into doing something that they wouldn’t otherwise do — an art known as social engineering. The shift raises the question of how far must a vendor such as Microsoft go to protect end-users from social engineers. Just last week, another research outfit held SP2’s feet to the fire over a vulnerability that it discovered in SP2’s newly introduced Attachment Execution Service (AES). AES prevents e-mail attachments from being launched unless they’re from a domain that the end-user has explicitly marked as trusted. But, as eWeek’s Larry Seltzer argued, exploiting that vulnerability requires so much social engineering that holding Microsoft responsible was an "unrealistic expectation." But what about this case of "drag-and-infect?" Dragging and dropping objects on Web pages is not unheard of. For example, it’s a commonly used technique for online games such as chess. The malicious code’s ability to self-install itself on next boot-up seems a little lax as well. So, who’s to blame if you get snared in a social engineer’s net? You, or Microsoft?
