specially crafted web sites

"Experts have noted that, while the flaw is serious, those wishing to exploit it would have to entice users to click a link that takes them to a specially crafted Web site. "

How is this a mitigating factor or anything that should be presented as lessening the concern. When does a browser vulnerability not require that a user connect to a website serving malicious code? It seems like this is a common refrain for all of the the IE vulnerabilities and I'm wondering is it anything more than just spin?

Can any of you all think of serious browser vulnerabilites that don't require a user make a connection to a site that serves malicious content? If not, then why treat that as somehow special.

Posted by asa on March 25, 2006 11:05 AM

reactions, thoughts, comments, etc.

"When does a browser vulnerability..."

The key word there is "browser". I think it is a common phrase for all IE vulnerabilities, but it's not necessarily common to all Microsoft vulnerabilities, and they all get reported in the same way. There have been serious vulnerabilities which could be exploited simply by getting someone to view an email or open a document or something other than connecting to a website in a browser window.

The last batch of Mozilla advisories were basically for Firefox, but noted that the vulnerabilities could also be a problem in Thunderbird if script was enabled in email. Maybe next time around you could issue a more general advisory and note that it's only a problem if you visit websites in Firefox? :-)

Posted by: Michael Lefevre | March 25, 2006 12:02 PM

Whenever a flaw gets shell access, it no longer becomes a browser vulnerability, and enters the world of critical system vulnerability. This is a critical system vulnerability dependant upon mshtml.dll.

Posted by: Tom | March 25, 2006 12:31 PM

I believe I've seen this kind of language for all browser holes, not just IE. As you said, browser vulnerabilities only work when I user visits a web page. But I don't see how calling it how it is should be called spin. I believe the author probably used 'specially crafted' to make sure non-techinical users don't think /any/ web page is going to give them a virus.

I have been using Mozilla browsers since before Mozilla 1.0, so I'm not an IE fan (in fact, being a web developer, I despise IE). But I can't tag that comment as spin, as they describe mozilla vulnerabilities the same.

Posted by: Yacoubean | March 25, 2006 1:13 PM

I would totally agree with Yacoubean. The general public, which are using the net more and more would not necessarily know that IE wouldn't get infected by going to *any and every* website. Those of us that already knew that it only applied to some 'specially crafted' malicious sites can ignore the comment. Simple really.

Posted by: Donald Noble | March 26, 2006 5:47 AM

I don't think it's a matter of one kind of browser flaw vs. another kind, so much as it's a matter of one class of software flaw in general vs. another. As Michael said, it's a matter of push vs. pull. A vulnerability in an email or IM client could result in a compromise without user action, when a malicious message comes in. A vulnerability in a networking service could result in a compromise without user action, just with the computer on.

It's "mitigating" in the sense that the user has to take some sort of action, even if it's one they expect to be relatively safe.

Of course, it would be easy to trick someone into visiting a malicious website. Just dress it up with a funny animation, or flash game. Make it look like a viral marketing site, or the next "Badger Badger Badger" or "Llama Song," and people will go there.

Posted by: Kelson | March 26, 2006 10:46 AM

One must be connected to the Internet to activate exploit code, BTW ;)

Posted by: Ivan Icin | March 27, 2006 9:19 AM