A newly discovered bug in Microsoft's Internet Explorer Web browser may help fraudsters trick Internet users into divulging sensitive information and executing malicious code, according to a security researcher.
The new glitch allows a specially crafted URL, or link, to load a browser window that appears to be displaying any address the attacker wants -- this would enable a fraudster to load a window that would appear to be displaying www.zdnet.com.au, for example, but would in fact display content from another source. The problem will make it easier for scammers to trick Internet users into divulging personal details through "phishing scams", where emails purporting to come from the victim's Internet banking provider or another such site encourage them to re-enter details such as usernames and passwords, according to security research engineer Drew Copley.
"You could pretend to be anybody. You could have someone run executable content," he said by phone from the US. "This is not the end of the world [but] it adds to Microsoft's woes."
IE bugs are somewhat of a specialty for Copley, of US-based eEye Digital Security. He has uncovered numerous security issues in the near-ubiquitous Web browser. While the bug may not allow an attacker to compromise a system through a traditional "remote compromise" style of attack, it's the glitch's potential to undermine the users ability to determine what they should trust that represents the largest concern in this instance, he said.
"If [the address is] appearing legitimate like that, you can get people to download anything, run anything, or get a password or whatever," he explained.
However, other, more serious vulnerabilities are more likely to be on the top of Microsoft's hit-list, Copley said; several vulnerabilities were recently discovered by a Chinese security group, with three of them allowing an attacker to remotely compromise a system.
While it's possible for users to mitigate those vulnerabilities by disabling the browser's "active scripting", which allows the browser to run scripts and ActiveX code, turning off the feature will limit the browsers functionality, Copley said.
"You can, of course, turn off active scripting ... it's going to protect you, but it's going to make it hard to browse around," he argued.
The latest glitch was discovered by 18-year-old graphic designer Sam Greenhalgh.
Talkback
I think it's a little irresponsible to post the actual HTML of the flaw mentioned within the article.
Surely this fill encourage more people to take advantage of this particular flaw if knowledge is more widespread?
Right click and show page properties! You can see the 'true' URL. It is absolutely necessary to show how this URL highjacking takes place so that people know what to do and how to check the validity of the sites they visit.
I think Patrick should revisit this topic as there have been many interests generated. Some of the earlier tools (like SpoofStick, e.g.) checks the ip address or hostname only. This kind of protection is way way too simplistic. The hacker has some new exploits including auto downloading keyboard loggers if you visit some "infested" web sites. Therefore just checking the ip address is definitely insufficient! One needs a more advanced tool to combat against this including . switching away from IE to Mozilla as a last resort.