Phishing vulnerability in Internet Explorer 7 [Update]
This in itself would not be that much of a threat, but because of a design flaw, Internet Explorer 7, regardless of where the subsequent content comes from, displays in the address bar the URL of the page that was originally called. A user could therefore be deceived about the origin of the content. The fake content is not displayed however until the victim clicks on the "Refresh the page" link on the error page. That being said, experience indicates that many users are more likely to hit the refresh button on the navigation bar; in which case the vulnerability would be of no consequence.
According to reports in the US media, Microsoft is looking into the problem. Internet Explorer 7 under Vista and XP is affected. Until there is a solution to the problem Mr. Raff recommends that users not trust the "Navigation Cancelled" page. Alas, switching to a different browser is not much of a remedy. A few days ago Michal Zalewski presented a spoofing hole in Firefox. Only in Opera has no phishing hole as yet been detected. Appearances can be deceptive, though. Because of its not too significant market share very few security specialists have so far turned their attention to the browser from Norway.
In an email to heise Security Aviv Raff states that a user won't evade the attack by hitting the refresh button. He wrote, "When a user will try and click the refresh button, the page will not be refreshed at all, and therefore he will probably try to click the refresh link.".
- Phishing using IE7 local resource vulnerability, vulnerability report by Aviv Raff