16 March 2007, 09:33

Phishing vulnerability in Internet Explorer 7 [Update]

A combination of two security holes in Internet Explorer 7 is giving phishers a leg up. The Israeli security specialist Aviv Raff has supplied an appropriate online demo. It makes use of the browser's routine with which it reports the cancellation of navigation ("Navigation to the webpage was canceled"). With a modified link it is possible to inject JavaScript into the navcancl.htm local resource and thereby display fake content.

This in itself would not be that much of a threat, but because of a design flaw, Internet Explorer 7, regardless of where the subsequent content comes from, displays in the address bar the URL of the page that was originally called. A user could therefore be deceived about the origin of the content. The fake content is not displayed however until the victim clicks on the "Refresh the page" link on the error page. That being said, experience indicates that many users are more likely to hit the refresh button on the navigation bar; in which case the vulnerability would be of no consequence.

According to reports in the US media, Microsoft is looking into the problem. Internet Explorer 7 under Vista and XP is affected. Until there is a solution to the problem Mr. Raff recommends that users not trust the "Navigation Cancelled" page. Alas, switching to a different browser is not much of a remedy. A few days ago Michal Zalewski presented a spoofing hole in Firefox. Only in Opera has no phishing hole as yet been detected. Appearances can be deceptive, though. Because of its not too significant market share very few security specialists have so far turned their attention to the browser from Norway.

Update
In an email to heise Security Aviv Raff states that a user won't evade the attack by hitting the refresh button. He wrote, "When a user will try and click the refresh button, the page will not be refreshed at all, and therefore he will probably try to click the refresh link.".