IE 7 With Vulnerability Number Three

Microsoft encounters yet another flaw in its own browser IE7. While alerting about the flaw, 'Secunia' declares it another opportunity for online identity thieves. Microsoft is in a rather unpleasant situation because this version of the security problem was originally in Microsoft IE6.

Researchers Per Gravgaard identified the flaw over the weekend. An attacker could inject content into another site's window by exploiting the vulnerability. They could also put a pop-up window in place of an online bank with a page appearing same as the bank's login window. The construction and purpose of the login pop-up window is to steal the user's confidential information like username and password.

The flaw is in the manner by which the browser handles pop-up pages. The hacker could exploit the vulnerability to open an authentic pop-up URL and overlay it with a new web copy, which could be used to dig at the target's private data.

Unlike previous versions of the browser, IE7 displays the existing URL of any pop-up and therefore, it should be able to overthrow this type of attack. However, a combination of this flaw and the second one found in the browser can make an attack to fool IE7 users.

Secunia has called the current flaw 'security vulnerability' while Microsoft says it is due to "by-design behavior" in the browsers.

Secunia has rated this flaw as "moderately critical" because just by viewing given content the access to a user's PC can't be gained. But if a user enters confidential information into the infected pop-up window, it could be dangerous.

Microsoft said a guard against this exploit is to follow its 'safe browsing guidelines' and verify for an HTTPS connection prior to feeding their sensitive information.
A careful user might know when he is under attack. With the appearance of the URL for the pop-up window, it is possible to detect a fraudulent request for sensitive information.

Secunia has warned that the security flaw is capable of affecting even a fully protected system running 'IE7' and 'Microsoft Windows XP Service Pack 2'. The security company asks surfers to browse only credible sites.

Related article: IE & Gmail Show Up with Alarming Vulnerabilities

» SPAMfighter News - 11/1/2006