"I think these responses are fine, given the sorry state of browser UI security in general; although in good conscience, I can't dismiss the problem as completely insignificant," Zalewski said.
Carabott and Botezatu both agreed that this issue should be fixed because attackers are likely to start exploiting it if it is left unaddressed. However, the fact that this attack method leverages legitimate browser functionality might make it harder to mitigate, Carabott said.
"We're aware of a spoofing issue that can be mitigated by enabling Internet Explorer's Smart Screen Filter," said Yunsun Wee, director of Trustworthy Computing at Microsoft. "There have not been any known attempts to exploit this issue, and we continue to encourage customers to only visit trusted websites."
Mozilla did not immediately return a request for comment.
"The best practice is to refuse any download that initiates automatically," Botezatu said. "If this is not possible, users should scan the downloaded file with either an antivirus or online with a multi-engine antivirus service."
Sign up for Computerworld eNewsletters.