Vulnerability in Internet Explorer 7 aids phishers
One of Microsoft's expressed goals for Internet Explorer 7 was better protection for users against phishing attacks. This appears to have been only partially successful, as security vendor Secunia has shown in a demonstration a vulnerability in the latest version of the browser. By simply attaching specific symbols onto the end of a URL, Secunia was able to forge the displayed address in the address bar of a pop-up window: the address bar in the demo reads www.microsoft.com, even though the content originated from Secunia.
This is particularly disappointing because Microsoft has touted the fact that every open window and pop-up features an address line as a supplementary security feature in Internet Explorer 7. In Internet Explorer 6, it was possible to open additional windows without making clear the address to which they belonged. This in turn sometimes raised suspicions in the surfer's mind, which should no longer be the case with Internet Explorer 7.
On the very day of release for the final version of Internet Explorer 7, Secunia demonstrated a problem in the browser whereby attackers could spy on the content of opened windows – a problem Microsoft had already known about for six months. Microsoft claimed in an analysis that the problem was not part of either Internet Explorer 6 or Internet Explorer 7, although the vulnerability demonstration used that browser as its attack vector. The fault is instead related to Outlook Express components in Windows, the analysis claims, and the matter is still being investigated.
- Internet Explorer 7 Popup Address Bar Spoofing Weakness, Advisory from Secunia