xpgeek
26-10-2006, 07:08 PM
Second flaw found in IE 7
Microsoft confirmed a vulnerability Thursday in the address bar of Internet Explorer 7. First reported by security firm Secunia on Wednesday, the issue occurs in popup windows. It is possible to display a somewhat spoofed address bar, the company said.
Due to this issue, a specially crafted URL with special characters may hide portions of the address. This could open the user up to attacks, including performing actions that it may not be aware of. Secunia has rated the issue as "less critical," its second lowest rating.
No attacks using this flaw are currently known, Microsoft said. It also recommended users make use of the Microsoft Phishing Filter that is included within IE7.
"The Microsoft Phishing Filter online service is designed to allow us to update it fairly quickly with information as sites are reported and confirmed by us," Christopher Budd of the Microsoft Security Response Center Blog said.
"We do have this issue under investigation and as always, once we complete our investigation we'll take appropriate steps to protect our customers," he continued.
However, Budd downplayed the flaw, saying Microsoft's research showed the full URL can still be displayed by clicking in the browser windows or address bar, or scrolling within the address bar.
Source (http://www.betanews.com/article/Microsoft_Confirms_IE7_Address_Bar_Flaw/1161879160)
Microsoft confirmed a vulnerability Thursday in the address bar of Internet Explorer 7. First reported by security firm Secunia on Wednesday, the issue occurs in popup windows. It is possible to display a somewhat spoofed address bar, the company said.
Due to this issue, a specially crafted URL with special characters may hide portions of the address. This could open the user up to attacks, including performing actions that it may not be aware of. Secunia has rated the issue as "less critical," its second lowest rating.
No attacks using this flaw are currently known, Microsoft said. It also recommended users make use of the Microsoft Phishing Filter that is included within IE7.
"The Microsoft Phishing Filter online service is designed to allow us to update it fairly quickly with information as sites are reported and confirmed by us," Christopher Budd of the Microsoft Security Response Center Blog said.
"We do have this issue under investigation and as always, once we complete our investigation we'll take appropriate steps to protect our customers," he continued.
However, Budd downplayed the flaw, saying Microsoft's research showed the full URL can still be displayed by clicking in the browser windows or address bar, or scrolling within the address bar.
Source (http://www.betanews.com/article/Microsoft_Confirms_IE7_Address_Bar_Flaw/1161879160)