Spoofing bug found in IE 7

By Joris Evers
Posted on ZDNet News: Oct 25, 2006 11:45:00 PM

Security experts have found a weakness in Internet Explorer 7 that could help crooks mask phishing scams, the type of attack Microsoft designed the browser to thwart.

IE 7, released last week, allows a Web site to display a pop-up that can contain a spoofed Web address, security monitoring company Secunia said Wednesday. An attacker could exploit this weakness to trick people into believing they are on a trusted Web site when in fact they are viewing a malicious page, Secunia said in an alert.

"This makes it possible to only display a part of the address bar, which may trick users into performing certain unintended actions," Secunia said. The company has created a demonstration that shows a Microsoft Web address in the pop up window, but displays content from Secunia.

The problem lies in the way Web addresses are displayed in the IE 7 address bar, a Microsoft representative said in an e-mailed statement. An attacker could exploit the issue by tricking a user to click on a specially formatted link, the representative said.

The pop-up will block the left part of the Web address, Microsoft said. "Clicking in the browser window or in the address bar and scrolling within it will display the full URL, however," the company said. In case of the Secunia example, the true Secunia URL is revealed.

An attack won't work if a Web site is known to be part of a phishing scam, Microsoft said. The IE 7 phishing shield will identify such sites and warn the user, it said. Microsoft is not aware of any attacks that actually use the reported vulnerability, the company said.

IE 7 is the first major update to Microsoft's ubiquitous Web browser in five years. Security was the No. 1 investment for the update, Microsoft has said. The phishing protection has been a major focus for Microsoft, shielding against malicious Web sites designed to trick users into handing over their personal information.

The spoofing issue, rated "less critical" by Secunia, appears to be the first genuine, publicly disclosed flaw in the new Microsoft browser. An earlier problem, disclosed a day after the IE 7 release, lies in Outlook Express, not IE 7, Microsoft has said.

Microsoft will continue to look into the problem and may provide a browser patch to fix it, the company said. In addition, Microsoft chided the anonymous discloser of the flaw. The software maker prefers that security issues be disclosed privately so it can repair them before they get publicly known.

SponsoredWhite Papers, Webcasts, and Downloads

Talkback
Most Recent of 133 Talkback(s)

Thread View
Flat View

Watch what you are saying!!: Dude... what the hell are you talking about? It's not because of Microsoft some websites don't work, it's because of the webdesigners! All the time now I'm using IE7 from the day it came out and any w... (Read the rest); Posted by: deoshermes@... Posted on: 10/26/06 (Edited: 06/03/2008 @ 10:38) You are currently: Logged In | Log out

Yawn NonZealot | 10/25/06

Yawn rondev | 10/25/06

Message has been deleted. Linux User 14756O | 10/25/06

I guess you didn't read about the 2 flaws ... ShadeTree | 10/26/06

But those two are really non issues voska | 10/26/06

As are most of the so called exploits .... ShadeTree | 10/26/06

Spoofing bug in IE 7 rondev | 10/25/06

Hmm... tried Secunia's test with Firefox 2 Tony Agudo | 10/25/06

Message has been deleted. Linux User 14756O | 10/25/06

then why? jrbeaman | 10/26/06

Because... Fred Fredrickson | 10/26/06

Spoofing bug found in IE 7 Loverock Davidson | 10/25/06

Have you tried the spoofing test on Firefox 2? Tony Agudo | 10/25/06

No, why would I? (NT) Loverock Davidson | 10/25/06

Take a look JDThompson | 10/26/06

I can attest to Loverock's statement Zeppo9191 | 10/26/06

RE:I can attest to Loverock's statement tfahs_orcim | 10/30/06

Re: Opera markbn | 10/25/06

when I click the test link April May | 10/26/06

Where's the spoof? JDThompson | 10/26/06

I second that! Linux User 14756O | 10/25/06

*cough imposter cough* (NT) Loverock Davidson | 10/25/06

Saw that did you Lovey? Shelendrea | 10/26/06

Indeed I did Loverock Davidson | 10/26/06

No Code In The Wild? Generalist | 10/26/06

What don't you understand? Zeppo9191 | 10/26/06

It is a minor rather obscure issue Cayble | 10/26/06

Not if you have some perspective. ShadeTree | 10/26/06

what's to suggest April May | 10/26/06

Try using a recent linux distro linux for me | 10/26/06

One week... wcb42ad | 10/26/06

What is this? Linux User 1 | 10/26/06

Then you must have Multiple Personalities Shelendrea | 10/26/06

He does! ShadeTree | 10/26/06

What do you expect? Spikey_Mike | 10/26/06

More interesting headlines Zeppo9191 | 10/26/06

You so easily confuse... jasonp@... | 10/26/06

Message has been deleted. Linux User 14756O | 10/25/06

Security Kobashrer | 10/25/06

Message has been deleted. Linux User 14756O | 10/25/06

Message has been deleted. NonZealot | 10/25/06

GEORGE, YOU DELETED MY POST!!! NonZealot | 10/25/06

Yeah I've been getting that a lot lately georgeou | 10/25/06

A question about the "ZD" image next to your name... Grayson Peddie | 10/26/06

Well, George... zkiwi | 10/26/06

No inquiry required ShadeTree | 10/26/06

By the same note... Cayble | 10/26/06

This impostor will be banned soon if he keeps it up georgeou | 10/25/06

Southern Pride is at it again. Spikey_Mike | 10/26/06

Oh I noticed all right Shelendrea | 10/26/06

Oh I noticed to Linux User 1 | 10/26/06

oh give it up Shelendrea | 10/26/06

Careful or else tfahs_orcim | 10/30/06

Lame flaw PB_z | 10/25/06

But a phisher could use a drive-by install attack Tony Agudo | 10/25/06

If that ever happens... NonZealot | 10/25/06

In Internet Explorer 6... Grayson Peddie | 10/25/06

Install on Demand is different PB_z | 10/25/06

Where is the proof of concept? PB_z | 10/25/06

It's on the Secunia site georgeou | 10/25/06

George, did you bother to read my post?

PB_z | 10/26/06

Another IE7 low-risk flaw makes the front page georgeou | 10/25/06

You are wrong and I have proof!! NonZealot | 10/25/06

I swear someone needs to make a spoof of that and put it on youtube georgeou | 10/25/06

Should read: "You are a strawman and I have proof" tic swayback | 10/26/06

If this was FireFox it would Linux User 1 | 10/26/06

Thanks you so much.. Spikey_Mike | 10/26/06

Same old account working great Linux User 1 | 10/26/06

You lie Shelendrea | 10/26/06

IT expert here Linux User 1 | 10/26/06

You should look at the big picture. April May | 10/26/06

You should look at the big picture. Rick_K | 10/26/06

Sorry to get you all worked up. April May | 10/26/06

Just giving you an FYI Rick_K | 10/26/06

Bashing the Beast... wiz4440@... | 10/26/06

Rick_K, here is possible reasoning . April May | 10/26/06

Not true at all Rick_K | 10/26/06

So Vista is late...Who cares? Cayble | 10/26/06

Ditto! nomorems | 10/26/06

If you must know April May | 10/26/06

10 years out of date Rick_K | 10/27/06

Mr bs MacCanuck | 10/30/06

Ouch! NonZealot | 10/26/06

How is that different? Rick_K | 10/26/06

Perish the thought of a "bug" in IE7 BeGoneFool | 10/26/06

It appears the same Linux User 1 | 10/26/06

MSFT should give up on innovation Chad_z | 10/26/06

Uhuh Qbt | 10/26/06

More than offset by,.. April May | 10/26/06

B.S.! Spikey_Mike | 10/26/06

Isn't it time for you April May | 10/26/06

And you Spikey Mike have to realize, thats just your opinion! Cayble | 10/26/06

Agreed xxn1927 | 10/26/06

Millions of man-years wasted by Microsoft... Resuna | 10/26/06

In what way... April May | 10/26/06

Abstraction=Security Problems Generalist | 10/26/06

excuse me April May | 10/26/06

Apparently you didn't realize... 3D0G | 10/26/06

Everyone Here Knows That Generalist | 10/26/06

wasted man hours? wiz4440@... | 10/26/06

Playing catchup?? Ya Right. Catching up to what? Cayble | 10/26/06

No such thing as anti-ms. nomorems | 10/26/06

Watch what you are saying!! deoshermes@... | 10/26/06

Firefox and IE7 russdwright@... | 10/26/06

Both are at fault, MS perhaps more so... MacCanuck | 10/26/06

Secunia test exploit fails on my computer wolf_z | 10/26/06

That would be the work around Etch44 | 10/26/06

Amazing Qbt | 10/26/06

Well. That didn't take long... BitTwiddler | 10/26/06

Actually... Rick_K | 10/26/06

IE7 kjpjr@... | 10/26/06

And so the Saga continues . . . 999ad@... | 10/26/06

You mean alternatives like this: Qbt | 10/26/06

I mean what I mean . . . 999ad@... | 10/26/06

IE jhoweLLc@... | 10/26/06

Why bother with Bugs in IE7 when you can continue using IE6 rh0 | 10/26/06

ZZZZZZZZZZZzzzzzzzzzzzzz Herc@... | 10/26/06

ZZZzzzzzzzzz yourself - more like Arrrrggggggghhh!! bportlock | 10/27/06

ZZZZZZZZZzz yourself.... rondev | 10/27/06

Handled it the same as Firefox 2.0 jwilshus@... | 10/26/06

IE and Outlook are largely the same program! Resuna | 10/26/06

Why all the fuss bergmystr | 10/26/06

fussin' & fightin' wiz4440@... | 10/26/06

Right jguyp725@... | 10/26/06

Come on now!!! 3D0G | 10/26/06

Next beta release of IE sirwriter | 10/26/06

Stupid People Patch 1.0 mames1701 | 10/26/06

disapearing pages? av.bear5@... | 10/26/06

New IE7 PattyT67@... | 10/26/06

IE7 is an erroneous name. jolumoar | 10/26/06

IEEEEEEE 7 shiva023@... | 10/26/06

Spoofing IE7 davidlewis7 | 10/26/06

What do you think?

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

SponsoredWhite Papers, Webcasts, and Downloads

Printers
'Green' Font Cuts Costs and Saves Trees (BNET)
Three Ways to Save Paper (BNET)
CNET Reviews printer buying guide (CNET)
View all printers-tagged content on ZDNet
Plan B from Brother
<SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N3691.ZDNet/B3025330.3;abr=!ie;sz=120x90;ord=2008.10.07.16.22.29?"> </SCRIPT> <NOSCRIPT> <A HREF="http://adlog.com.com/adlog/c/r=9106&s=814715&o=1009:&h=cn&p=2&b=2&l=en_US&site=22&pt=2100&nd=1009&pid=&cid=150031&pp=100&e=2&rqid=01c17-ad-e1048E76FBF1EF8EAC&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=38%2e103%2e63%2e59&pg=&t=2008.10.07.16.22.29/http://ad.doubleclick.net/jump/N3691.ZDNet/B3025330.3;abr=!ie4;abr=!ie5;sz=120x90;ord=2008.10.07.16.22.29"> <IMG SRC="http://ad.doubleclick.net/ad/N3691.ZDNet/B3025330.3;abr=!ie4;abr=!ie5;sz=120x90;ord=2008.10.07.16.22.29?" BORDER=0 WIDTH=120 HEIGHT=90 ALT="Click Here"> </A> </NOSCRIPT>
It's the smarter way to work in color Our professional color ink-jet all-in-ones give you more choices, more features, and more value. Make the Smarter Choice. Learn More »
<SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N3691.ZDNet/B3025330.4;abr=!ie;sz=75x40;ord=2008.10.07.16.22.29?"> </SCRIPT> <NOSCRIPT> <A HREF="http://adlog.com.com/adlog/c/r=9106&s=814715&o=1009:&h=cn&p=2&b=2&l=en_US&site=22&pt=2100&nd=1009&pid=&cid=150031&pp=100&e=2&rqid=01c17-ad-e1048E76FBF1EF8EAC&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=38%2e103%2e63%2e59&pg=&t=2008.10.07.16.22.29/http://ad.doubleclick.net/jump/N3691.ZDNet/B3025330.4;abr=!ie4;abr=!ie5;sz=75x40;ord=2008.10.07.16.22.29"> <IMG SRC="http://ad.doubleclick.net/ad/N3691.ZDNet/B3025330.4;abr=!ie4;abr=!ie5;sz=75x40;ord=2008.10.07.16.22.29?" BORDER=0 WIDTH=75 HEIGHT=40 ALT="Click Here"></A> </NOSCRIPT>

SponsoredWhite Papers, Webcasts, and Downloads

What do you think?

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

SponsoredWhite Papers, Webcasts, and Downloads

Blogs

Product Reviews

Videos

White Papers and Webcasts

Downloads

More

ZDNet News & Blogs

Product Reviews

Product Blogs

White Papers & Webcasts

Downloads