New phishing hole in Internet Explorer 7
Michal Zalewski has discovered a vulnerability in Internet Explorer 7 that makes it easy for phishers to do their dirty work and takes the usual advice always to enter URLs manually to an absurd extreme. Just after Internet Explorer 7 was released last October, a flaw was detected that allows the address bar of a window to be incorrectly displayed.
Among other things, this new vulnerability is the result of the processing of what are called "onunload" events by JavaScript. For instance, a web site can prevent a new web site from being loaded even though the address of that new web site is displayed, provided the address is entered manually. Users then probably think they are on the right web site. Zalewski has provided a demo to allow people to test the flaw.
While victims still have to visit a malicious web site for an attack to succeed, once they have done so they cannot be sure that further web sites can be trusted. If, however, the next web site is visited via a bookmark, the address of the manipulated site is still displayed.
Secunia says that it discovered the hole on January 5 and reported it to Microsoft. The firm says that it wanted to wait to publish its own security advisory until Microsoft had provided its assessment. However, Secunia has now decided to release information because Zalewski has also done so. Internet Explorer 7 and Windows XP and Vista are affected.
While the problem does not affect Firefox, during his tests Zalewski found another flaw in the Mozilla Foundation's browser in the processing of onunload events that causes a crash. He has also published a demo to illustrate the problem. Zalewski says that he cannot rule out the possibility that code could be injected and executed through this hole given the nature of the flaw. As a workaround for both Firefox and Internet Explorer, the only thing users can do is switch off JavaScript to protect themselves.
- MSIE7 browser entrapment vulnerability (probably Firefox, too), Michal Zalewski's security advisory
- Internet Explorer 7 "onunload" Event Spoofing Vulnerability, Secunia's security advisory
- Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr), Secunia's security advisory
(ehe)