The vulnerability reporting firm said that an anonymous tip lead them to the vulnerability, which allows the browser to display a popup with a spoofed address bar that has special characters appended to the URL. The vulnerability makes it possible to only display a part of the address bar, which could potentially fool users into believing in the pop-up's credibility.
The hole is listed as a "less critical" vulnerability by Secunia, which has a demonstration of the vulnerability on its site.
According to Thomas Kristensen, Secunia CTO, it might be possible for the vigilant user to spot something that isn't quite right when a pop-up occurs, but he is worried about the danger to average users.
"This is the kind of spoofing vulnerabilities that (Microsoft) IE7 was supposed to be better at protecting against than its predecessor," said Kristensen. "Any user not wearing the paranoid glasses is easily fooled by this trick - despite the built-in anti-phishing mechanism being enabled."
Only in its first week since release, IE7 has already seen a pair of its vulnerabilities reported to the public. Just hours after the browser was first distributed, Secunia warned of an error in redirection handling for URLs with the mhtml: URI handler.
Click here to email Ericka Chickowski.
Secunia reports another Internet Explorer 7 flaw
By Ericka Chickowski on Oct 25, 2006 5:34PM