New IE7 bug exposes users to content injection

Powered by SC Magazine
 

Security researchers at Secunia have discovered a new vulnerability in Internet Explorer 7 that could be exploited by online identity thieves.

An attacker could inject content into another website's window, for instance replacing a log-in pop-up window for an online bank with a page that looks similar to the bank's log-in window.

The attacker would have to know the target name of the window being replaced, and would require the attacker's website and the target website to be open at the same time.

Secunia rated the vulnerability as 'moderately critical', its third most severe security rating on a five-step scale.

A Microsoft spokesman denied that the reported flaw describes a vulnerability in its software.

The said in an emailed statement that Secunia describes the issue as "a by-design behaviour in popular web browsers that allows a website to open or reuse a pop-up window".

Users will be able to tell that they have been directed to a phishing website because the pop-up window displays an address bar.

Secunia issued a warning about a similar vulnerability in Internet Explorer 5 and 6 in 2004.

Today's alert is the fourth alleged security vulnerability that Secunia has unearthed in Internet Explorer 7 since the browser was launched earlier this month.

In addition to today's denial, Microsoft has dismissed one other Secunia report because it affected Outlook Express rather than IE7. Microsoft has confirmed the two other vulnerabilities.

Copyright ©v3.co.uk


 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  26%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 337

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  57%
 
No
  43%
TOTAL VOTES: 140

Vote