Attackers could exploit a new flaw in Internet Explorer 7 (IE 7)
to launch
phishing expeditions, warns Israeli vulnerability researcher
Aviv Raff.
Microsoft said it is investigating the findings
of Raff who said IE 7 running
on Windows XP and Vista is susceptible to cross-site scripting
attacks. That combined with a design flaw in the browser could
allow digital miscreants to launch phishing schemes against users,
he added.
"I think it is a serious vulnerability, because it allows a
phisher to take advantage of the user without the need to create a
look alike URL," Raff said in an instant message exchange. "The
user will see the trusted URL in the address bar and the fake
content provided by the phisher."
Raff said he is unaware of any exploits in the wild. Microsoft
issued a statement saying that it's investigating the flaw but has
seen no evidence of active exploits to date.
In his blog, Raff said an attacker can create a specially
crafted navcancl.htm local resource link with a script that will
display [the] fake content of a trusted site, such as a bank,
Paypal or MySpace URL. When the victim opens the link sent by the
attacker, a "Navigation Canceled" page will be displayed and the
victim will think there was a site error and try to refresh the
page.
"Once he will click on the 'Refresh the page' link, the
attacker's provided content will be displayed and the victim will
think that he's within the trusted site, because the address bar
shows the trusted site's URL," Raff added in his blog.
News Editor Robert Westervelt contributed to this story.