A vulnerability in Internet Explorer leaves the browser open to spoofing attacks, according to researchers testing the browser for holes.
Possible change: "According to researchers testing IE for holes, a flaw in the browser is leaving it susceptible to attack."The flaw was discovered in Internet Explorer 6, 7 and 8 beta 1, and a proof-of-concept code has been made publicly available.
Danish vulnerability clearinghouse
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
Secunia, gave the vulnerability a moderately critical rating. The flaw is similar to one reported in earlier versions of Internet Explorer, in which the browser fails to check if a target frame belongs to a website containing a malicious link. If an attack is carried out successfully, the website could load malicious content into a frame of a trusted website.
The United States Computer Emergency Readiness Team (US-CERT) issued an advisory warning that the browser does not properly restrict access to a document's frames, leaving it open to the spoofing attack. The US-CERT also advised that the attack could allow someone to capture keystrokes while a user is interacting with a Web page in a different domain.
There is currently no patch available for the flaw. As a workaround, users can disable Active Scripting in the Internet Zone, the US-CERT said.
A second vulnerability found in Internet Explorer 6 leaves the browser open to cross-domain scripting attacks. The flaw, an input validation error, was discovered by researchers with the Ph4nt0m Security Team, according to Secunia. The flaw was given a moderately critical rating by Secunia. Users are urged to upgrade to Internet Explorer 7.