Phishing risk seen in new IE 7 flaw

Microsoft said it is investigating a flaw in Internet Explorer 7 (IE 7) attackers could exploit to launch phishing expeditions.

I think it is a serious vulnerability, because it allows a phisher to take advantage of the user without the need to create a look alike URL.
Aviv Raff,
vulnerability researcher
Attackers could exploit a new flaw in Internet Explorer 7 (IE 7) to launch phishing expeditions, Israeli vulnerability researcher Aviv Raff warned in a posting on his blog Wednesday. Microsoft said it is investigating his findings.

Raff said IE 7 running on Windows XP and Vista is susceptible to cross-site scripting attacks. That combined with a design flaw in the browser could allow digital miscreants to launch phishing schemes against users, he added.

"I think it is a serious vulnerability, because it allows a phisher to take advantage of the user without the need to create a look alike URL," Raff said in an instant message exchange. "The user will see the trusted URL in the address bar and the fake content provided by the phisher."

Raff said he is unaware of any exploits in the wild. Microsoft issued a statement saying that it's investigating the flaw but has seen no evidence of active exploits to date.

In his blog, Raff said an attacker can create a specially crafted navcancl.htm local resource link with a script that will display [the] fake content of a trusted site, such as a bank, Paypal or MySpace URL. When the victim opens the link sent by the attacker, a "Navigation Canceled" page will be displayed and the victim will think there was a site error and try to refresh the page.

"Once he will click on the 'Refresh the page' link, the attacker's provided content will be displayed and the victim will think that he's within the trusted site, because the address bar shows the trusted site's URL," Raff added in his blog.


News Editor Robert Westervelt contributed to this story.

Dig deeper on Web Browser Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close