To add to Microsoft’s problems with OneCare, a vulnerability in its Internet Explorer (IE) browser could help fraudsters make phishing websites appear legitimate.
The flaw lies in the way IE7 processes a locally stored HTML error message page that is typically shown when the user cancels the loading of a web page, according to security researchers based in Israel.
The error message tells the user that "navigation to the web page was cancelled" and offers the user the opportunity to "refresh the page." If the refresh link is clicked, IE7 can be tricked into displaying the wrong web address for a page. This flaw could be exploited by phishers who want to make their spoofed websites appear legitimate.
Attackers can inject a script to display anything they want in a page when the user clicks the refresh link, which means an attacker can render in the browser whatever they want, linked to whichever URL they place in the user’s address bar.
The bug, well-known as a cross-site scripting vulnerability, affects IE7 on the Vista and Windows XP operating systems. Microsoft has said it is investigating the issue and is not aware - yet - of any attacks attempting to use the reported vulnerability.
Just as with OneCare, Microsoft is in danger of losing the security credibility it temporarily recovered with its efforts to make Vista more secure. IE7 was another product intended to offer better security than previous Explorer browsers and prevent cross-site scripting attacks.
Granted, Microsoft’s software will always face more attacks than that of other suppliers, but the company’s self-rebuilt security image is rapidly becoming tarnished. On its website promoting IE7, Microsoft talks of a “Dynamic Security Protection” and “a robust new architecture.”
Er, no, on this evidence.
Comment on this article: firstname.lastname@example.org