[ISN] Spoofing bug found in IE 7

From: InfoSec News (alerts@private)
Date: Thu Oct 26 2006 - 01:54:51 PDT


http://news.com.com/Spoofing+bug+found+in+IE+7/2100-1002_3-6129626.html

By Joris Evers
Staff Writer, CNET News.com
October 25, 2006

Security experts have found a weakness in Internet Explorer 7 that could 
help crooks mask phishing scams, the type of attack Microsoft designed 
the browser to thwart.

IE 7, released last week, allows a Web site to display a pop-up that can 
contain a spoofed Web address, security monitoring company Secunia said 
Wednesday. An attacker could exploit this weakness to trick people into 
believing they are on a trusted Web site when in fact they are viewing a 
malicious page, Secunia said in an alert.

"This makes it possible to only display a part of the address bar, which 
may trick users into performing certain unintended actions," Secunia 
said. The company has created a demonstration that shows a Microsoft Web 
address in the pop up window, but displays content from Secunia.

The problem lies in the way Web addresses are displayed in the IE 7 
address bar, a Microsoft representative said in an e-mailed statement. 
An attacker could exploit the issue by tricking a user to click on a 
specially formatted link, the representative said.

The pop-up will block the left part of the Web address, Microsoft said. 
"Clicking in the browser window or in the address bar and scrolling 
within it will display the full URL, however," the company said. In case 
of the Secunia example, the true Secunia URL is revealed.

An attack won't work if a Web site is known to be part of a phishing 
scam, Microsoft said. The IE 7 phishing shield will identify such sites 
and warn the user, it said. Microsoft is not aware of any attacks that 
actually use the reported vulnerability, the company said.

IE 7 is the first major update to Microsoft's ubiquitous Web browser in 
five years. Security was the No. 1 investment for the update, Microsoft 
has said. The phishing protection has been a major focus for Microsoft, 
shielding against malicious Web sites designed to trick users into 
handing over their personal information.

The spoofing issue, rated "less critical" by Secunia, appears to be the 
first genuine, publicly disclosed flaw in the new Microsoft browser. An 
earlier problem, disclosed a day after the IE 7 release, lies in Outlook 
Express, not IE 7, Microsoft has said.

Microsoft will continue to look into the problem and may provide a 
browser patch to fix it, the company said. In addition, Microsoft chided 
the anonymous discloser of the flaw. The software maker prefers that 
security issues be disclosed privately so it can repair them before they 
get publicly known.

Copyright 1995-2006 CNET Networks, Inc.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Thu Oct 26 2006 - 02:08:03 PDT