Microsoft Internet Explorer XSS vulnerabilty could attract phishers

By

Microsoft's Internet Explorer 7 (IE7) is vulnerable to cross-site scripting that could allow attackers to spoof a trusted site to launch a phishing attack.

Microsoft Internet Explorer XSS vulnerabilty could attract phishers
Vulnerability tracking firm Secunia ranks the flaw, discovered by Israeli researcher Aviv Raff, as "less critical."

Attackers are able to inject script into the "Refresh the page" link that appears on a webpage when navigation to a particular site is cancelled.

Cyberthieves can then lead unsuspecting users to a phishing site.

"The victim will think that there was an error in the site or some kind of network error and will try to refresh the page," Raff said on his website.

"Once he will click on the "Refresh the page" link, the attacker’s provided content (e.g. fake login page) will be displayed and the victim will think that he’s within the trusted site because the address bar shows the trusted site’s URL."

Microsoft is investigating the "possible" vulnerability and was not aware of any customers being affected, a company spokesman told SCMagazine.com in an email.

Raff said the bug could be exploited to launch a phishing attack if the user wants to get to a banking, ecommerce or social networking site, for example. But the flaw likely cannot be taken advantage of to execute remote code, he added.

"To perform a phishing attack, an attacker can create a specially crafted navcancl.htm (which signals a canceled navigation) local resource link that will display fake content of a trusted site," Raff said.

Secunia said in an advisory today that users should only follow links from trusted sources and should not click on the "Refresh the page" link when located on a "Navigation Cancelled" page.
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
bitecouldexplorerforinternetmicrosoftphishersprovidesecurityxss

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames
Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?