On CBS MoneyWatch: 11 Buzzwords That Should Be Banned
BNET Business Network:
BNET
TechRepublic
ZDNet
29 TalkBacks

By Joris Evers
Posted on ZDNet News: Apr 6, 2006 7:21:00 PM

An unpatched vulnerability in Internet Explorer could aid fraudsters in pulling off phishing scams, experts have warned.

The error could be exploited to fake the address bar in a browser window, security monitoring company Secunia said in an advisory published on Tuesday. This tactic could be used in phishing scams that attempt to trick people into believing they are on a legitimate site, when in fact they are viewing a fraudulent Web page.

Phishing is a prevalent type of online scam that seeks to pilfer personal information from unsuspecting Internet users. The scams typically combine spam e-mail with fraudulent Web sites that appear to come from a trusted source, such as a credit card company or a bank.

The flaw exists because of an error in the way the Microsoft Web browser loads Web pages and Macromedia Flash animations, according to Secunia. The company rates the issue "moderately critical" and has created a special Web page where users can test their Web browser to see if they are affected.

Secunia has confirmed that the vulnerability affects IE 6.0 on Windows XP with all current security patches. It also affects the latest IE 7 Beta release, Secunia said. Other versions may also be affected, it said.

Microsoft is investigating the newly reported flaw, a representative said in an e-mailed statement late Wednesday. "Our initial investigation has revealed that customers who have set their Internet security settings to high, or who have disabled active scripting, are at reduced risk from attack as the attack vector requires scripting," the representative said.

Additionally, Microsoft noted that it has not seen any active attacks that take advantage of this issue, which Secunia has dubbed the "Internet Explorer Window Loading Race Condition Address Bar Spoofing" flaw.

This is the fourth unpatched vulnerability for IE that has become public in the last few weeks. Microsoft plans to release a security update for the Web browser on Tuesday. At least one of the disclosed bugs will be fixed in that update, the company has said. That flaw, related to how IE handles the "createTextRange()" tag in Web pages, has been exploited in attacks to install spyware, remote-control software and Trojan horses on vulnerable PCs.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 29 Talkback(s)
Is George Ou on vacation?
This story has been up for almost 21 hours, and George hasn't chimed in to (a) decry the story as alarmist, (b) claim that Windows is still more secure than OS X, (c) point out that no one has been hit yet, or (d) claim this isn't a flaw but a feature.

No 'net connection in Aruba, big guy?... (Read the rest)
Posted by: bidemytime Posted on: 04/07/06 You are currently: a Guest | | Terms of Use
Microsoft hit by another unpatched IE flaw  Loverock Davidson | 04/06/06
delusional as usual  stormdoor | 04/06/06
Forgive stormdoor  Loverock Davidson | 04/06/06
LoverBOY like you really know how to think ...........  Can you hear me | 04/06/06
Thank goodness Loverock was here to save  sykandtyed | 04/06/06
Still avoiding the obvious?  BUCKWHEATONRICE | 04/06/06
Loverock is Tedious  Hi_C | 04/06/06
Loverock is a shmuck with nothing better to do with his time.......  Can you hear me | 04/06/06
are you?  phburks | 04/06/06
ROFLMAO  Quiet_Type | 04/06/06
um...  baubo | 04/07/06
The exploits and attacks will be here soon enough.  Mr. Roboto | 04/07/06
Use Firefox. It has zero exploits.  OhMyGosh | 04/06/06
I have to agree  aussiedawg | 04/06/06
error  phburks | 04/06/06
...my error...  phburks | 04/06/06
I agree  aussiedawg | 04/06/06
umm...read it again happy  mdsmedia | 04/06/06
Where have YOU been?  RazorEdge | 04/06/06
Not accurate  Furiousrog | 04/06/06
Strange ...  rick752 | 04/06/06
Disabling Active Scripting Support  Annette-1 | 04/06/06
scripting  aussiedawg | 04/06/06
How To Disable Active Scripting  johnmcmullan7@... | 04/06/06
New IE flaw  ddagolfr | 04/06/06
Windows IS a critcial PATCH !  realitycheck101 | 04/06/06
Why change from IE..  Scrat | 04/07/06
Use Apple, it has no mean attackers  Boot_Agnostic | 04/07/06
Is George Ou on vacation?  bidemytime | 04/07/06

What do you think?

advertisement
advertisement

White Papers, Webcasts, and Downloads

Meet Doc

  • Here to help you with your Document Management Needs
  • Doc is an enigma. Born to a Russian ballerina and a German electrical engineer, he grew up in various locations in the United States. He’s seen the insides of more brands, versions, and generations of printer and printer-related hardware than almost anyone.
  • To learn more about this mysterious figure check out his blog on ZDNet and his Workspace on TechRepublic. You’ll be glad you did.
  • Produced by
    ZDNet and