Another security hole found in IE

An unpatched vulnerability in Internet Explorer could aid fraudsters in pulling off phishing scams, experts have warned.

The error could be exploited to fake the address bar in a browser window, security monitoring company Secunia said in an advisory published on Tuesday. This tactic could be used in phishing scams that attempt to trick people into believing they are on a legitimate site, when in fact they are viewing a fraudulent Web page.

Phishing is a prevalent type of online scam that seeks to pilfer personal information from unsuspecting Internet users. The scams typically combine spam e-mail with fraudulent Web sites that appear to come from a trusted source, such as a credit card company or a bank.

The flaw exists because of an error in the way the Microsoft Web browser loads Web pages and Macromedia Flash animations, according to Secunia. The company rates the issue "moderately critical" and has created a special Web page where users can test their Web browser to see if they are affected.

Secunia has confirmed that the vulnerability affects IE 6.0 on Windows XP with all current security patches. It also affects the latest IE 7 Beta release, Secunia said. Other versions may also be affected, it said.

Microsoft is investigating the newly reported flaw, a representative said in an e-mailed statement late Wednesday. "Our initial investigation has revealed that customers who have set their Internet security settings to high, or who have disabled active scripting, are at reduced risk from attack as the attack vector requires scripting," the representative said.

Additionally, Microsoft noted that it has not seen any active attacks that take advantage of this issue, which Secunia has dubbed the "Internet Explorer Window Loading Race Condition Address Bar Spoofing" flaw.

This is the fourth unpatched vulnerability for IE that has become public in the last few weeks. Microsoft plans to release a security update for the Web browser on Tuesday. At least one of the disclosed bugs will be fixed in that update, the company has said. That flaw, related to how IE handles the "createTextRange()" tag in Web pages, has been exploited in attacks to install spyware, remote-control software and Trojan horses on vulnerable PCs.

[supercoolpcguy]

Temporary workaround?

I just used Securia's test page on my regular browser (FireFox 1.5.0.1) and it passed. I then used Internet Explorer 6 (fully updated and patched) but it too passed. Here's why as near as I can tell:

I have customized security settings on my installation of Internet Explorer. The page was unable to take advantage of the vulnerability because I have "Navigate sub-frames across different domains" set to "Prompt". By default, this setting is set to "allow".

If you are using Internet Explorer and are concerned about this vulnerability, you should be able to plug the hole (at least until MS releases a patch) by changing this particular setting. Then when you visit a page that attempts to exploit this hole you'll see a prompt that asks whether you want to allow "sub-frames to navigate across different domains". Just choose "no" and you ought to be alright. -ja

[tonycb]

Didn't work for me

I to generally use firefox, but I tested IE. It came up vulnerable. Changing the sub frames setting didn't work for me.

Turning active scripting of did work.

[supercoolpcguy]

Temporary workaround?

I just used Securia's test page on my regular browser (FireFox 1.5.0.1) and it passed. I then used Internet Explorer 6 (fully updated and patched) but it too passed. Here's why as near as I can tell:

I have customized security settings on my installation of Internet Explorer. The page was unable to take advantage of the vulnerability because I have "Navigate sub-frames across different domains" set to "Prompt". By default, this setting is set to "allow".

If you are using Internet Explorer and are concerned about this vulnerability, you should be able to plug the hole (at least until MS releases a patch) by changing this particular setting. Then when you visit a page that attempts to exploit this hole you'll see a prompt that asks whether you want to allow "sub-frames to navigate across different domains". Just choose "no" and you ought to be alright. -ja

[tonycb]

Didn't work for me

I to generally use firefox, but I tested IE. It came up vulnerable. Changing the sub frames setting didn't work for me.

Turning active scripting of did work.

[tonycb]

Just uninstall IE....

Oh wait....thanks microsoft ;-)

[Roman12]

Not possible

If you are using Windows then it's not possible to uninstall IE, even though it gives that that option IE still comes back up. This is because it is a critical component of Windows, it's pretty much the same thing as Windows Explorer, so technically you are using IE to browse My Computer folder. What I have done is made Firefox my default browser and deleted all IE shortcuts. I would suggest the same for you.
______________________________
R.K.
http://www.Remove-All-Spyware.com

[tonycb]

Just uninstall IE....

Oh wait....thanks microsoft ;-)

[Roman12]

Not possible

If you are using Windows then it's not possible to uninstall IE, even though it gives that that option IE still comes back up. This is because it is a critical component of Windows, it's pretty much the same thing as Windows Explorer, so technically you are using IE to browse My Computer folder. What I have done is made Firefox my default browser and deleted all IE shortcuts. I would suggest the same for you.
______________________________
R.K.
http://www.Remove-All-Spyware.com

[anarchyreigns]

At this point...people that still use I.E. ....

At this point, people that still use I.E. get what they deserve.

[mahurshi]

i disagree

a majority of the people that use computers use IE. and this is mainly because they do not know (and are "not sure") that they have other "better" options. there are some people that hate firefox for their own reasons, but they are not the majority of computer users.

to fix this problem, windows IE has to be fixed from ground up, blaming the users for being too naive is only going to prove futile, because there are a lot of them and they just don't understand, or don't have the time/inclination to learn about different browsers.

hopefully, in the future, there'll be a secure browser installed by default by the sys admins or even by the vendors. if they make it hard to find the link to IE, but keep the firefox icon readily avialable on the desktop and call it "Internet" (or something equivalent), people would use firefox. otherwise, you'll end up spending a lot of time trying to teach them to use what they perceive as "something new and complicated."

mahurshi akilla

[Tomcat Adam]

A few small risks

Are more than worth it than spending a long time optimizing other browsers for 1/2 of my max speed.

Currently, on decent sites, I can't download at any decent rate of speed with an alternative browser. With IE, I can get files at roughly 700+KB/s. FF doesn't get anywhere near half of that.

And you can't fault average joe user who has the internet for nothing more than email or web browsing for not using another browser. As most open source advocates would say, the main reason most people are using IE is because they don't know that an alternative exists.

[anarchyreigns]

At this point...people that still use I.E. ....

At this point, people that still use I.E. get what they deserve.

[mahurshi]

i disagree

a majority of the people that use computers use IE. and this is mainly because they do not know (and are "not sure") that they have other "better" options. there are some people that hate firefox for their own reasons, but they are not the majority of computer users.

to fix this problem, windows IE has to be fixed from ground up, blaming the users for being too naive is only going to prove futile, because there are a lot of them and they just don't understand, or don't have the time/inclination to learn about different browsers.

hopefully, in the future, there'll be a secure browser installed by default by the sys admins or even by the vendors. if they make it hard to find the link to IE, but keep the firefox icon readily avialable on the desktop and call it "Internet" (or something equivalent), people would use firefox. otherwise, you'll end up spending a lot of time trying to teach them to use what they perceive as "something new and complicated."

mahurshi akilla

[Tomcat Adam]

A few small risks

Are more than worth it than spending a long time optimizing other browsers for 1/2 of my max speed.

Currently, on decent sites, I can't download at any decent rate of speed with an alternative browser. With IE, I can get files at roughly 700+KB/s. FF doesn't get anywhere near half of that.

And you can't fault average joe user who has the internet for nothing more than email or web browsing for not using another browser. As most open source advocates would say, the main reason most people are using IE is because they don't know that an alternative exists.

[rtuinenburg]

What a piece of CR@P!

Set IE to highest possible security setting and never use it again, unless you absolutely have to. I hope microsoft starts a contest to win $50,000 for every security bug people find before they release their new version of IE. They can afford it, and it will save them lots of face in the future. It will take a lot for me to gain the trust back in IE.

[The_Nirvana]

They can't afford a contest

The rate at which we see IE bugs...at $50,000/bug discovered, they will quickly burn through their cash reserves. Better solution, remove IE and all its hidden components and start bundling Firefox with windows.

[wbenton]

C2 Security Concerns

C2 Security Stipulates to STOP all unnecessary processes and uninstall all unnecessary applications.

Since Firefox has come about... many people have deemed IE unnecessary.

Only problem is... there's no way to follow C2 guidelines for uninstalling it and stopping all the services related with it!!!

Walt

[rtuinenburg]

What a piece of CR@P!

Set IE to highest possible security setting and never use it again, unless you absolutely have to. I hope microsoft starts a contest to win $50,000 for every security bug people find before they release their new version of IE. They can afford it, and it will save them lots of face in the future. It will take a lot for me to gain the trust back in IE.

[The_Nirvana]

They can't afford a contest

The rate at which we see IE bugs...at $50,000/bug discovered, they will quickly burn through their cash reserves. Better solution, remove IE and all its hidden components and start bundling Firefox with windows.

[wbenton]

C2 Security Concerns

C2 Security Stipulates to STOP all unnecessary processes and uninstall all unnecessary applications.

Since Firefox has come about... many people have deemed IE unnecessary.

Only problem is... there's no way to follow C2 guidelines for uninstalling it and stopping all the services related with it!!!

Walt

[maxwis]

IE 7 As Bad As IE 6

The last couple of browser security issues have shown up in IE 7 as well as older versions of IE. So what does this say about MS claims that the Geritol Tonic for what ails you will be IE 7? It is more like Jim Jones Coolaid.

[maxwis]

IE 7 As Bad As IE 6

The last couple of browser security issues have shown up in IE 7 as well as older versions of IE. So what does this say about MS claims that the Geritol Tonic for what ails you will be IE 7? It is more like Jim Jones Coolaid.

[Earl Benser]

That's the price of using a defective product.....

.... and IE is about as defective as you can get. I stopped using it
years ago.

[Earl Benser]

That's the price of using a defective product.....

.... and IE is about as defective as you can get. I stopped using it
years ago.

[john55440]

Firefox Newbie Very Impressed

In response to IE's recent series of unpatched security holes I installed Firefox for the first time. Security concerns aside, I find it to be faster, better, and of a more advanced design than IE.

[supercoolpcguy]

Extensions

I switched over to Firefox some time back and continue to use it over Internet Explorer the large majority of the time.

If you're new to Firefox, might I suggest checking out "extensions" (available from https://addons.mozilla.org/extensions/). Extensions are basically small packages that integrate with the Firefox browser to add any number of new functions and browsing enhancements. Some of my favorites that you might want to look into for starters are:

? Adblock - automatically blocks/removes unwanted advertisements from web pages you view.
? Adblock Filterset.G Updater - automatically updates Adblock's list of blacklisted addresses.
? Colorful tabs - makes each tab a different color when using multiple tabs. Very handy.
? Copy plain text - copy text without formatting
? Google preview - adds thumbnail views of webpages to your Google results.

Those are just a handful; there are MANY more.

[john55440]

Firefox Newbie Very Impressed

In response to IE's recent series of unpatched security holes I installed Firefox for the first time. Security concerns aside, I find it to be faster, better, and of a more advanced design than IE.

[supercoolpcguy]

Extensions

I switched over to Firefox some time back and continue to use it over Internet Explorer the large majority of the time.

If you're new to Firefox, might I suggest checking out "extensions" (available from https://addons.mozilla.org/extensions/). Extensions are basically small packages that integrate with the Firefox browser to add any number of new functions and browsing enhancements. Some of my favorites that you might want to look into for starters are:

? Adblock - automatically blocks/removes unwanted advertisements from web pages you view.
? Adblock Filterset.G Updater - automatically updates Adblock's list of blacklisted addresses.
? Colorful tabs - makes each tab a different color when using multiple tabs. Very handy.
? Copy plain text - copy text without formatting
? Google preview - adds thumbnail views of webpages to your Google results.

Those are just a handful; there are MANY more.

[ba_oren]

CallingID protects users from scam using this hole

When you use Callingid (free download at www.callingid.com) you are automatically protected from a scammer using this hole - you see the real owner of the site

[ba_oren]

CallingID protects users from scam using this hole

When you use Callingid (free download at www.callingid.com) you are automatically protected from a scammer using this hole - you see the real owner of the site

[aabcdefghij987654321]

Another Copy/Paste headline

It was almost a week since the last one, wow.

[aabcdefghij987654321]

Another Copy/Paste headline

It was almost a week since the last one, wow.