Microsoft is accused of giving misguided security advice

SOFTWARE FLOGGER Microsoft and Trend Micro have got into a dispute about the severity of a vulnerability in Internet Explorer that could allow a hacker to steal a victim's cookies.

It all centres around a vulnerability found by Italian security researcher Rosario Valetto called 'cookiejacking', or what is more well known as session hijacking. He said all versions of Internet Explorer have the bug, which if exploited can allow a hacker to steal data items from the web browser that are known as cookies.

To exploit the flaw, a user needs to be persuaded to drag and drop an object across a PC screen before cookies can be hijacked. This might sound difficult, but you can imagine it being effective if set up nicely, as shown in the video below where a user 'undresses' a picture of an attractive woman.

In a statement, a Microsoft spokesperson said, "Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users."

"In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into."

"We encourage all customers to protect themselves against potential issues by avoiding clicking on suspicious links and emails, as well as adjusting Internet settings to higher security levels."

But Robert McArdle, senior threat researcher at Trend Micro, wasn't particularly impressed by the response. He said the statement was inaccurate, as malicious websites are visited every day, and that the use of social engineering to persuade people to drag items is effective. There are always going to be cookies on machines, he added, as most people don't clear cookies that often.

He said, "Their advice - that this issue is not to be taken seriously and does not pose high risk - is misguided. Such comments could lead non-technical users to think that visiting malicious websites is unlikely, and could lead other users to think that they won't be duped or compromised just by visiting a malicious website." µ