• On MovieTome: Megan Fox on TRANSFORMERS 2!
advertisementAT&T Tech Support 360

October 25, 2006 4:45 PM PDT

Spoofing bug found in IE 7

By Joris Evers
Staff Writer, CNET News

Related Stories

Minor issues surface after IE 7 launch

 October 19, 2006

Microsoft hopes 7 is lucky number for IE

 October 18, 2006

Phishers hijack IM accounts

 October 16, 2006

Phishers catch on to the Net's 'long tail'

 September 12, 2006
Security experts have found a weakness in Internet Explorer 7 that could help crooks mask phishing scams, the type of attack Microsoft designed the browser to thwart.

IE 7, released last week, allows a Web site to display a pop-up that can contain a spoofed Web address, security monitoring company Secunia said Wednesday. An attacker could exploit this weakness to trick people into believing they are on a trusted Web site when in fact they are viewing a malicious page, Secunia said in an alert.

Image: IE 7 spoofing bug

"This makes it possible to only display a part of the address bar, which may trick users into performing certain unintended actions," Secunia said. The company has created a demonstration that shows a Microsoft Web address in the pop up window, but displays content from Secunia.

The problem lies in the way Web addresses are displayed in the IE 7 address bar, a Microsoft representative said in an e-mailed statement. An attacker could exploit the issue by tricking a user to click on a specially formatted link, the representative said.

The pop-up will block the left part of the Web address, Microsoft said. "Clicking in the browser window or in the address bar and scrolling within it will display the full URL, however," the company said. In case of the Secunia example, the true Secunia URL is revealed.

An attack won't work if a Web site is known to be part of a phishing scam, Microsoft said. The IE 7 phishing shield will identify such sites and warn the user, it said. Microsoft is not aware of any attacks that actually use the reported vulnerability, the company said.

IE 7 is the first major update to Microsoft's ubiquitous Web browser in five years. Security was the No. 1 investment for the update, Microsoft has said. The phishing protection has been a major focus for Microsoft, shielding against malicious Web sites designed to trick users into handing over their personal information.

The spoofing issue, rated "less critical" by Secunia, appears to be the first genuine, publicly disclosed flaw in the new Microsoft browser. An earlier problem, disclosed a day after the IE 7 release, lies in Outlook Express, not IE 7, Microsoft has said.

Microsoft will continue to look into the problem and may provide a browser patch to fix it, the company said. In addition, Microsoft chided the anonymous discloser of the flaw. The software maker prefers that security issues be disclosed privately so it can repair them before they get publicly known.

See more CNET content tagged:
Microsoft Internet Explorer 7, address bar, Microsoft Internet Explorer, phishing, weakness

Add a Comment (Log in or register) 39 comments (Showing first 20 comments)
Time to give up.
by ralfthedog October 25, 2006 5:29 PM PDT
If someone is using IE they deserve to be scammed virus infected or what ever. It is not like Microsoft thanks the company's that find the flaws. Let Microsoft users rot.
Reply to this comment View all 3 replies
Time to give microsoft a break
by Leria October 25, 2006 6:23 PM PDT
It's actually time to give microsoft a break. I mean, how many attacks will REALLY do something like this, where a link is SOOOOOOOOOOOOO long that you can't see all of it? Not many, I'd wager.

This isn't even really a security 'vulnerability', it's a problem with the browsers that extends to Firefox and Opera as well.
Reply to this comment View all 3 replies
didn't happen with me
by guyfromtrinidad October 25, 2006 6:52 PM PDT
Tried it out using IE but didn't experience what was described. It took me to Microsoft but I got the Microsoft content, the exact same behavior happened in Firefox. Did this happen to anyone else? I'm not an IE fan but are we looking to hard for flaws?
Reply to this comment View all 2 replies
Exactly why Microsoft can't provide proper security!
by imacpwr October 26, 2006 12:31 AM PDT
Quote: "Microsoft chided the anonymous discloser of the flaw.
The software maker prefers that security issues be disclosed
privately so it can repair them before they get publicly known."

Security Issues: Publicly unknown (the users), privately WELL
known (the hackers). Those wanting to do harm to your
computer have their own underground information network
where as the users are left waiting like sitting ducks while
Microsoft gets around to releasing fixes in their own sweet time.
Keep those anonymous disclosers coming, it's the only way to
force Microsoft to live up to their obligations.
Reply to this comment
Happens in ALL versions of Firefox too!
by Hardrada October 26, 2006 5:15 AM PDT
This is not limited to just IE 7, Firefox 1 ~ 2 are vulnerable as well. I have not tested on the other browsers out there
Reply to this comment View all 2 replies
Come On
by Gasaraki October 26, 2006 5:26 AM PDT
Please... a popup that block part of the address but you can click on the address bar and the real address is still there? How is that a bug? That company is just looking for stuff to attack IE7. Last week, when this company found a 'bug' in IE7, it turned out to be a bug in Outlook Express and not even IE7.
Reply to this comment
No one is safe
by thedreaming October 26, 2006 7:10 AM PDT
It doesn't matter what browser you use, you can still be infected by a trojan, worm, spyware or a virus. You simply click on a link or run a program and bingo, you're infected.

It happened to someone that posted his story about it here at news.com He clicked on a link for a media player that thought was being used by myspace.com but it was a trojan. It filled his machine with spyware and made his life a living hell. He was using firefox at the time and that didn't protect him.

In the end, it doesn't matter which browser you use if you still click on the link or run the program. Don't be fooled, think before you click!
Reply to this comment View reply
Maxthon's not affected.
by ReVeLaTeD October 26, 2006 9:16 AM PDT
At least mine isn't. It shows
http://secunia.com/result_22542/?  http://www.microsoft.com/

Which is weird since it's using the IE engine, but I think it's the way Maxthon does tabbed browsing.
Reply to this comment
It's just word wrap? Goes away OnBlur?
by jeolmeun October 26, 2006 9:43 AM PDT
If you click on the client (html rendered) area of the popup window, the "spoofed" address seems to go away and the beginning of the address is shown. You could also try clicking on combo box arrow to show the whole address or just taking away focus from the address bar.

Look like it's playing with the edit box's word wrapping to show the second line.
Reply to this comment
You haven't seen anything yet!
by gernblan October 26, 2006 5:20 PM PDT
I'm going to make sure I have plenty of popcorn on hand when Vista comes out, so that I can enjoy the buttery goodness of fresh popped popcorn while I watch all the reports of Vista also popping like popcorn.

Vista, the "Windows ME" of the NT code base. Mark my words.
Reply to this comment View all 2 replies
This time Secunia = BS
by Jamie_Foster October 27, 2006 4:53 PM PDT
This is issue which is no big deal for the following 3 reasons:
1. On the pop-up all you have to is cliack the dropdown list and the entire true URL appears, not just the bit the Hacker wants you to see.
2. IE7 contains a quality phishing filter.
3. Anyone who enters financial info on a random popup is asking to be get ripped off.
This is not a critical bug where the hacker can take over your PC. It is a social engineering exploit. Those who use common sense will be safe.
One more thing, google "CA Antivirus Microsoft" and you can get a free 12 month sub to CA Anti-virus. Also turn on automatic updates and use the windows firewall if using XP. Finally don't run dodgy software (ie Kazaa), don't visit dodgy websites (ie porn, gambling etc} and protect your email account.
Reply to this comment
 See all 39 Comments >>
Powered by Jive Software
advertisement

Latest tech news headlines

Resource center from CNET News sponsors
You Need The Speed of Norton 2009
Introducing Norton Internet Security™2009

Click Here!
With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

Click Here!
The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Best hybrid cars
Cell phones
Dell
GPS
CNET sites
CNET TV
Downloads
News
Reviews
Shopper.com
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET