A vulnerability in Internet Explorer leaves the browser open to spoofing attacks, according to researchers testing the browser for holes.
The flaw was discovered in Internet Explorer 6, 7 and 8 beta 1, and a proof-of-concept code has been made publicly available.
Danish vulnerability clearinghouse Secunia, gave the vulnerability a moderately critical rating. The flaw is similar to one reported in earlier versions of Internet Explorer, in which the browser fails to check if a target frame belongs to a website containing a malicious link. If an attack is carried out successfully, the website could load malicious content into a frame of a trusted website.
The United States Computer Emergency Readiness Team (US-CERT) issued an advisory warning that the browser does not properly restrict access to a document's frames, leaving it open to the spoofing attack. The US-CERT also advised that the attack could allow someone to capture keystrokes while a user is interacting with a Web page in a different domain.
There is currently no patch available for the flaw. As a workaround, users can disable Active Scripting in the Internet Zone, the US-CERT said.
A second vulnerability found in Internet Explorer 6 leaves the browser open to cross-domain scripting attacks. The flaw, an input validation error, was discovered by researchers with the Ph4nt0m Security Team, according to Secunia. The flaw was given a moderately critical rating by Secunia. Users are urged to upgrade to Internet Explorer 7.