Spoofing Bug Found In IE 7

[»1587200]

Security experts have found a weakness in Internet Explorer 7 that could help crooks mask phishing scams, the type of attack Microsoft designed the browser to thwart.

 

IE 7, released last week, allows a Web site to display a pop-up that can contain a spoofed Web address, security monitoring company Secunia said Wednesday. An attacker could exploit this weakness to trick people into believing they are on a trusted Web site when in fact they are viewing a malicious page, Secunia said in an alert.

 

"This makes it possible to only display a part of the address bar, which may trick users into performing certain unintended actions," Secunia said. The company has created a demonstration that shows a Microsoft Web address in the pop up window, but displays content from Secunia.

 

The problem lies in the way Web addresses are displayed in the IE 7 address bar, a Microsoft representative said in an e-mailed statement. An attacker could exploit the issue by tricking a user to click on a specially formatted link, the representative said.

 

The pop-up will block the left part of the Web address, Microsoft said. "Clicking in the browser window or in the address bar and scrolling within it will display the full URL, however," the company said. In case of the Secunia example, the true Secunia URL is revealed.

 

An attack won't work if a Web site is known to be part of a phishing scam, Microsoft said. The IE 7 phishing shield will identify such sites and warn the user, it said. Microsoft is not aware of any attacks that actually use the reported vulnerability, the company said.

 

IE 7 is the first major update to Microsoft's ubiquitous Web browser in five years. Security was the No. 1 investment for the update, Microsoft has said. The phishing protection has been a major focus for Microsoft, shielding against malicious Web sites designed to trick users into handing over their personal information.

 

The spoofing issue, rated "less critical" by Secunia, appears to be the first genuine, publicly disclosed flaw in the new Microsoft browser. An earlier problem, disclosed a day after the IE 7 release, lies in Outlook Express, not IE 7, Microsoft has said.

 

Microsoft will continue to look into the problem and may provide a browser patch to fix it, the company said. In addition, Microsoft chided the anonymous discloser of the flaw. The software maker prefers that security issues be disclosed privately so it can repair them before they get publicly known.

 

Good game Microsoft.

 

http://news.zdnet.com/2100-1009_22-6129626...=feed&subj=zdnn

[candygirl]

My secrity has fraud protection running on my pc so this weakness in Internet Explorer 7 does nothing to me.

 

And if i do find one they would be remove in 1 min after being found.

[Dav]

no surprise.

 

everything they make is full of holes so why will IE7 and vista be any different?

[JoWie]

Test case:

 

http://secunia.com/internet_explorer_7_pop..._spoofing_test/

[»SD>Big]

"Hyped by a good deal of fanfare, outfitted with some new features, and now available for download, Firefox 2.0 has already passed 2 million downloads in less than 24 hours. However, a growing number of users are reporting bugs, widening memory leaks, unexpected instability, poor compatibility, and an overall experience that is inferior to that offered by prior versions of the browser."

 

"SecurityFocus reports an unpatched highly critical vulnerability in Firefox 2.0. This defect has been known since June 2006 but no patch has yet been made available. The developers claimed to have fixed the problem in 1.5.0.5 according to Secunia, but the problem still exists in 2.0 according to SecurityFocus (and I have witnessed the crash personally). If security is the main reason users should switch to Firefox, how do we explain known vulnerabilities remaining unpatched across major releases?"

 

 

no software is perfect.

[candygirl]

They have a patch for IE7 that was fast!