Second IE7 flaw emerges
A second vulnerability has emerged in the new Internet Explorer 7 browser. A new flaw can be exploited by phishers to spoof the URL in the address bar and possibly convince users to hand over personal information.
The issue was first reported by security firm Secunia. In its advisory the company says it is possible to display a popup with a partially spoofed address bar where a number of special characters have been appended.
It is possible to see the correct URL if you either click in the browser window or in the address bar and then scroll within the address bar. But, not many victims will do that every time a new site is displayed.
Secunia has constructed a demonstration which spoofs the Microsoft web site. There are, as far as is currently known, no exploits in the wild that make use of this vulnerability.
Earlier this week Secunia reported a flaw in IE7 just hours after the new browser was released. At the time Microsoft declared that it was an old bug and related to Outlook Express.
Unlike the first vulnerability, however, Microsoft is admitting there is a problem. The Microsoft Security Response Centre Blog says that the company is aware of the problem and is looking into it.
In the meantime, Microsoft is recommending that users of IE7 opt in to the Phishing Filter built into the browser. This tool allows people to report on a site that they believe is constructed for phishing attacks and will allow the company to get a better idea of any threat that emerges. If the threat is real, the Phishing Filters on every other user’s browser will be primed to issue an alert if the site is loaded.