Internet Explorer open to spoofing, scripting attacks

A zero-day vulnerability in Internet Explorer (IE) leaves the browser open to an attack that could allow someone to capture the keystrokes of a victim.

A vulnerability in Internet Explorer leaves the browser open to spoofing attacks, according to researchers testing...

the browser for holes.

Possible change: "According to researchers testing IE for holes, a flaw in the browser is leaving it susceptible to attack."

The flaw was discovered in Internet Explorer 6, 7 and 8 beta 1, and a proof-of-concept code has been made publicly available.

Danish vulnerability clearinghouse Secunia, gave the vulnerability a moderately critical rating. The flaw is similar to one reported in earlier versions of Internet Explorer, in which the browser fails to check if a target frame belongs to a website containing a malicious link. If an attack is carried out successfully, the website could load malicious content into a frame of a trusted website.

The United States Computer Emergency Readiness Team (US-CERT) issued an advisory warning that the browser does not properly restrict access to a document's frames, leaving it open to the spoofing attack. The US-CERT also advised that the attack could allow someone to capture keystrokes while a user is interacting with a Web page in a different domain.

There is currently no patch available for the flaw. As a workaround, users can disable Active Scripting in the Internet Zone, the US-CERT said.

A second vulnerability found in Internet Explorer 6 leaves the browser open to cross-domain scripting attacks. The flaw, an input validation error, was discovered by researchers with the Ph4nt0m Security Team, according to Secunia. The flaw was given a moderately critical rating by Secunia. Users are urged to upgrade to Internet Explorer 7.

Dig Deeper on Application Attacks (Buffer Overflows, Cross-Site Scripting)



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: