Toolbox
Rating: n/a
Bookmark
Save as PDF
Print
Email
Blog It
Digg It
del.icio.us
Slashdot It!
Stumble It!
Microsoft Investigates IE 7 Vulnerability
The vulnerability was discovered by noted Israel-based security researcher Aviv Raff. Using a cross-site scripting attack, an attacker can exploit a design flaw in IE 7, he wrote on his Web site.
He said an attacker can create a specially crafted navcancl.htm local resource link with a script that will display a fake content of a trusted site such as PayPal.
When the victim opens the link that was sent by the attacker, a "Navigation Canceled" page will be displayed, he said.
If the victim refreshes the page, the attacker's provided content - a fake PayPal login page for example - will be displayed in an attempt to trick the user into believing he or she is on the actual site, he wrote.
In an interview with eWEEK, Raff said the vulnerability should be taken seriously.
"Well, it's a serious threat, because a phisher can use it to take advantage of his victim without the need to create a fake URL," he said.
"Until MS fixes this vulnerability, the user should not trust the "Navigation Canceled" page, and should not click on any link on that page."
The vulnerability affects IE 7 on Windows Vista and XP.
A Microsoft spokesperson said in an e-mail to eWEEK the company was not aware of anyone actually trying to exploit the vulnerability.
The company will continue to investigate the matter and will take appropriate action when the investigation is completed, and urged anyone who feels that have been affected to contact Product Support Services.
Copyright 2007 by Ziff Davis Media, Distributed by United Press International
When the victim opens the link that was sent by the attacker, a "Navigation Canceled" page will be displayed, he said.
If the victim refreshes the page, the attacker's provided content - a fake PayPal login page for example - will be displayed in an attempt to trick the user into believing he or she is on the actual site, he wrote.
In an interview with eWEEK, Raff said the vulnerability should be taken seriously.
"Well, it's a serious threat, because a phisher can use it to take advantage of his victim without the need to create a fake URL," he said.
"Until MS fixes this vulnerability, the user should not trust the "Navigation Canceled" page, and should not click on any link on that page."
The vulnerability affects IE 7 on Windows Vista and XP.
A Microsoft spokesperson said in an e-mail to eWEEK the company was not aware of anyone actually trying to exploit the vulnerability.
The company will continue to investigate the matter and will take appropriate action when the investigation is completed, and urged anyone who feels that have been affected to contact Product Support Services.
Copyright 2007 by Ziff Davis Media, Distributed by United Press International
» Next Article in Technology - Software: Microsoft Pushes Windows Server 2003 SP2 out the Door
Physorg Account
PhysOrg Forum
Video
Editorials
Free Magazines
Free White Papers
Newsletter
Advanced Search
Goto Archive
Suggest a story idea
Send feedback