Raff said IE 7 running on Windows XP and Vista is susceptible to cross-site scripting attacks. That combined with a design flaw in the browser could allow digital miscreants to launch phishing schemes against users, he added.
"I think it is a serious vulnerability, because it allows a phisher to take advantage of the user without the need to create a look alike URL," Raff said in an instant message exchange. "The user will see the trusted URL in the address bar and the fake content provided by the phisher."
Raff said he is unaware of any exploits in the wild. Microsoft issued a statement saying that it's investigating the flaw but has seen no evidence of active exploits to date.
In his blog, Raff said an attacker can create a specially crafted navcancl.htm local resource link with a script that will display [the] fake content of a trusted site, such as a bank, Paypal or MySpace URL. When the victim opens the link sent by the attacker, a "Navigation Canceled" page will be displayed and the victim will think there was a site error and try to refresh the page.
"Once he will click on the 'Refresh the page' link, the attacker's provided content will be displayed and the victim will think that he's within the trusted site, because the address bar shows the trusted site's URL," Raff added in his blog.
News Editor Robert Westervelt contributed to this story.