-----BEGIN PGP SIGNED MESSAGE----- Hi All - We'd like to set the record straight as regards the advisory published today by the XWT Foundation. Microsoft thoroughly investigated the issue described in the advisory, and discussed our findings in detail with the advisory's author. When the XWT Foundation solicited a response from Microsoft to include in the advisory, we prepared one that accurately reports the risk the issue poses and the solution we developed. It's a pity the XWT Foundation chose not to honor its promise to include our response. For the record, this is the vendor response we provided: ===================================================================== Microsoft has investigated the issue discussed in the report, and agrees that the issue is bona fide from a technical standpoint. However, because of the difficulties associated with exploiting it (discussed below), Microsoft believes it is most appropriate to address the issue via a service pack. Accordingly, a fix has been included in IE 6 Service Pack 1, which is due to be released shortly. Among the barriers that an attacker would face in attempting to exploit the vulnerability are the following: * It could only be exploited if the user clicked a link within an email - it could not be exploited without user interaction. * It would require that the attacker host a DNS server, a fact that would be traceable. * The attacker would need detailed information about the internals of the user's network, such as intranet server names. * If the intranet site were an HTTPS: site, a dialog would warn the user that the name on the site's certificate did not match the domain name. * If the intranet site used cookie-based authentication, the attack would fail because the attacker's site would be unable to authenticate on behalf of the user * The attack would not work against web servers configured to support multiple host headers, with the exception of any content served up at the "default" site. ====================================================================== = Microsoft stands by its assessment of the issue. Regards, Microsoft Security Response Center -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPUXCqo0ZSRQxA/UrAQEztAf/Y3qYCwMDTBSqZR0UrXTj4kA3m6bGWa2l 6LlGtHdKlwtSxWvwdXjsapSbfdQhMthV2+onjWi2lGDS6eqzvKbqf2kzVBBf6mU7 p8KxvgcpWGz3LLqQ1YtmLM7SuGgHayUq5ny6AlTMoYI0ZUMD8R9rVyRSM+CTMkQx irskV/2HbqmrA4K1BdTV59t6n96lA955KaQMfKChxjk/YmQuBb/77DO+UABEWpdE N3Sq2OgZOZxElLdBP3Yq/+sei6ixxH3g0UoAH+nOTTvYZDaizMWOPDnhVcwyx6mC R0lXp70xSB8OvUo89e27eLXz/FYmNBpv54b5gKGJ6HTzxl0YjjeolQ== =Uzha -----END PGP SIGNATURE-----
