Microsoft Investigates IE 7 Vulnerability

Mar 16, 2007
Internet Explorer logo

The vulnerability leaves users open to potential phishing attacks. Microsoft is investigating a new flaw uncovered in Internet Explorer 7 that opens users up to phishing attacks.

The vulnerability was discovered by noted Israel-based security researcher Aviv Raff. Using a cross-site scripting attack, an attacker can exploit a design flaw in IE 7, he wrote on his Web site.

He said an attacker can create a specially crafted navcancl.htm local resource link with a script that will display a fake content of a trusted site such as PayPal.

When the victim opens the link that was sent by the attacker, a "Navigation Canceled" page will be displayed, he said.

If the victim refreshes the page, the attacker's provided content - a fake PayPal login page for example - will be displayed in an attempt to trick the user into believing he or she is on the actual site, he wrote.

In an interview with eWEEK, Raff said the vulnerability should be taken seriously.

"Well, it's a serious threat, because a phisher can use it to take advantage of his victim without the need to create a fake URL," he said.

"Until MS fixes this vulnerability, the user should not trust the "Navigation Canceled" page, and should not click on any link on that page."

The vulnerability affects IE 7 on Windows Vista and XP.

A Microsoft spokesperson said in an e-mail to eWEEK the company was not aware of anyone actually trying to exploit the vulnerability.

The company will continue to investigate the matter and will take appropriate action when the investigation is completed, and urged anyone who feels that have been affected to contact Product Support Services.

Copyright 2007 by Ziff Davis Media, Distributed by United Press International

Explore further: A new app facilitates number and arithmetic learning in children with special educational needs

add to favorites email to friend print save as pdf

Related Stories

Grindr relents to user backlash – but does it respect its users?

Sep 03, 2014

The world's most popular gay social networking app, Grindr, is having a tough time. William Saponaro Jr is suing its developers for negligence, after he was arrested for sexual assault and endangering the welfare of a child. Sapnaro claims a 13 ...

Security experts raise flags over WhatsApp

Feb 22, 2014

The Facebook deal for WhatsApp drew attention for its whopping price tag, but has also brought out fresh criticism over security for the billions of messages delivered on the platform.

Retail breaches could fuel push for safer cards

Jan 17, 2014

The Target credit and debit card and personal information breach, which last week was revealed to have affected more consumers than originally thought and which may be linked to attacks on other retailers, is expected to ...

Recommended for you

BPG image format judged awesome versus JPEG

Dec 17, 2014

If these three letters could talk, BPG, they would say something like "Farewell, JPEG." Better Portable Graphics (BPG) is a new image format based on HEVC and supported by browsers with a small Javascript ...

Atari's 'E.T.' game joins Smithsonian collection

Dec 15, 2014

One of the "E.T." Atari game cartridges unearthed this year from a heap of garbage buried deep in the New Mexico desert has been added to the video game history collection at the Smithsonian.

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.