An attacker could exploit the flaw by making a user click on a specially crafted website that would launch a pop-up window. The attacker could then forge the URL for the pop-up, for instance to make it look like a log-in window for an online bank. The URL of the phishing site will still be available, but is pushed outside the visible area of the window.
Danish security vendor Secunia published details of the vulnerability on its website on Wednesday. The company rated the vulnerability as "less critical", the second step on its five step security severity rating.
The flaw is the first published vulnerability in the Internet Explorer 7 browser that was launched last week. An IE7 vulnerability that Secunia published last week turned out to affect an Outlook component rather than Internet Explorer.
Microsoft in a blog posting noted that IE7's new anti phishing technology can help prevent the phishing pop-ups from opening. The company also noted that users should follow security best practices and refrain from entering confidential information on a website that doesn't offer an SSL certificate.
.png&h=140&w=231&c=1&s=0)
iTnews Executive Retreat - Security Leaders Edition
_(1).jpg&h=140&w=231&c=1&s=0)
