Security experts have found a weakness in Internet Explorer 7 that could help crooks mask phishing scams, the type of attack Microsoft designed the browser to thwart.
IE 7, released last week, allows a website to display a pop-up that can contain a spoofed web address, security monitoring company Secunia said on Wednesday. An attacker could exploit this weakness to trick people into believing they are on a trusted website when in fact they are viewing a malicious page, Secunia said in an alert.
"This makes it possible to only display a part of the address bar, which may trick users into performing certain unintended actions," Secunia said. The company has created a demonstration that shows a Microsoft web address in the pop up window, but displays content from Secunia.
The problem lies in the way web addresses are displayed in the IE 7 address bar, a Microsoft representative said in an emailed statement. An attacker could exploit the issue by tricking a user to click on a specially formatted link, the representative said.
The pop-up will block the left part of the web address, Microsoft said. "Clicking in the browser window or in the address bar and scrolling within it will display the full URL, however," the company said. In case of the Secunia example, the true Secunia URL is revealed.
An attack won't work if a website is known to be part of a phishing scam, Microsoft said. The IE 7 phishing shield will identify such sites and warn the user, it said. Microsoft is not aware of any attacks that actually use the reported vulnerability, the company said.
IE 7 is the first major update to Microsoft's ubiquitous web browser in five years. Security was the No. 1 investment for the update, Microsoft has said. The phishing protection has been a major focus for Microsoft, shielding against malicious websites designed to trick users into handing over their personal information.
The spoofing issue, rated "less critical" by Secunia, appears to be the first genuine, publicly disclosed flaw in the new Microsoft browser. An earlier problem, disclosed a day after the IE 7 release, lies in Outlook Express, not IE 7, Microsoft has said.
Microsoft will continue to look into the problem and may provide a browser patch to fix it, the company said. In addition, Microsoft chided the anonymous discloser of the flaw. The software maker prefers that security issues be disclosed privately so it can repair them before they are publicly known.
In order to post a comment you need to be registered and logged in
Log in or create your ZDNet UK account below
By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Membership FAQ
Apple are currently pushing to get tv content on the iPad by April 3rd. This could possibly be seen as a spoiler for that announcement I suppose....
2 hours ago by John Molloy
Hey - presume you mean something that builds on Apple's existing TV device? Apple have already had a couple of runs at building Apple TV and it's...
8 hours ago by Andrew Donoghue on Google's TV timing may reveal more to come
Google, Sony, Intel may build TV project www.zdnet.co.uk/news/emerging-tech/2010/03/18/google-sony-intel-may-build-tv-project-40088359/
8 hours ago on Twitter by BVE2011
70,0000 to 90,0000 computers? A very small number considering some of these botnets are in the millions, and there are so many of them operating,...
9 hours ago by ator1940 on Microsoft says it decimated Waledac botnet I agree Roger, and why can't they write secure code? What will happen when they find stolen code in windows? They have a track record of...
9 hours ago by ator1940 on Microsoft lashing out at Linux, open source Do you think it will really take days?
9 hours ago by ator1940 on Microsoft previews Internet Explorer 9 with HTML 5 support
Wonder how many days it will take before somebody codes an exploitive hack for IE9?
21 hours ago by Xwindowsjunkie on Microsoft previews Internet Explorer 9 with HTML 5 support
There are some really good people in Microsoft and I wonder, how embarassing it must be for them to see how the organisation behaves from it's...
1 day ago by roger andre on Microsoft lashing out at Linux, open source
Great new look for ZDNET UK web-site http://bit.ly/9R5eAA to check it out @ZDNetUK #zdnet
1 day ago on Twitter by ajclarke
Microsoft previews Internet Explorer 9 with HTML 5 support - zdnet.co.uk http://bit.ly/9FSh23
1 day ago on Twitter by feedfrog
We were just pondering on when IE will get HTML5 and CSS3 onboard! this is excellent
1 day ago by kencogold on Microsoft previews Internet Explorer 9 with HTML 5 support
RT @suziedaniels: relaunched www.zdnet.co.uk raises the bar yet again! its so fast it makes my eyes bleed.
1 day ago on Twitter by riptari This is brilliant - I borrowed one and straight away saw that a few AP`s were set up to the wrong country. It gives interference levels on each...
1 day ago by Bob Preece on Fluke Networks AirCheck Wi-Fi Tester
http://www.zdnet.co.uk/news/networking/2010/03/11/european-parliament-votes-down-acta-treaty-40085614/ (Where does this leave #Debill?)
1 day ago on Twitter by _SimonArnoldme
relaunched www.zdnet.co.uk raises the bar yet again! its so fast it makes my eyes bleed.
1 day ago on Twitter by suziedaniels
Redesign complet pour ZDNet UK et AU, Twitter au centre http://www.zdnet.co.uk/ http://www.zdnet.com.au/
1 day ago on Twitter by eparody
RT @eparody: Redesign complet pour ZDNet UK et AU, Twitter au centre http://www.zdnet.co.uk/ http://www.zdnet.com.au/
1 day ago on Twitter by cdutheil
Sharepoint 2010 in photo's http://www.zdnet.co.uk/reviews/communication-and-collaboration/2010/03/04/sharepoint-2010-screenshots-40070577/
1 day ago on Twitter by gerardvFor multi-store outlets, including retail, banking, grocery, gas, hospitality, convenience stores and others, reducing (or avoiding) the cost of in-store system support and maintenance while maintaining compliance with PCI and other requirements has become a strategic challenge.
Speaker: Dr. Chenxi Wang, Principal Analyst, Security and Risk Management, Forrester Research, Inc. As Enterprises are increasingly connected to the Internet and as hard organizational boundaries are fast disappearing, security professionals are facing fresh challenges in Enterprise computing.
This tutorial is for new MindManager users and teaches you how to get started, by creating maps, reading maps and organizing your information.
Talkback
Doesn't work if you put all pop-ups into tabs.
26 Oct 06 11:51 ReplyGotta love it!! When you have a "swiss cheese"
26 Oct 06 14:33 ReplyOS, everything else should be of the same.