"In other words, the scenario requires that you intentionally not use the security features specifically put in place to help protect against phishing and spoofing attacks.

When the spoofing vulnerability appeared in December 2004, IE 6 users were advised to disable the "Navigate sub-frames across different domains" option in the browser's security settings.

Maybe I'm missing something, but are they saying that failing to keep up with all the late-breaking security news so you can know what options to enable and disable is "intentionally" not using security features? Most folks here can keep up with that kind of news, so maybe we don't have an excuse. But my uncle has other things to do than read about security all day. How is he supposed to know when to change his browser settings?

"Today, in IE7 this setting has been disabled by default, that is a good thing, but it doesn't work, that is a bad thing!" Kristensen [Secunia] said in an e-mail to TechWeb.

So they take an enabled-by-default setting and turn it into a disabled-by-default setting, but this still doesn't work? Again, I may be missing something, but how on earth can they say this isn't a vulnerability? Maybe this is the answer:

...we [Microsoft] said in 2004 that this issue doesn't represent a security vulnerability as we have defined it," Budd continued.

You can get by with a lot if your definitions are right.

[edited by: MatthewHSE at 5:26 pm (utc) on Nov. 1, 2006]

"In other words, the scenario requires that you intentionally not use the security features specifically put in place to help protect against phishing and spoofing attacks.

No, no...I think they're right. There are a number [mozilla.com] of [konqueror.org] free [browser.netscape.com], simple [mozilla.org], security [opera.com] measures [apple.com] that responsible internet users can take that completely eliminate the problem...

;-p

-b