April 6, 2006 12:21 PM PDT

Another security hole found in IE

An unpatched vulnerability in Internet Explorer could aid fraudsters in pulling off phishing scams, experts have warned.

The error could be exploited to fake the address bar in a browser window, security monitoring company Secunia said in an advisory published on Tuesday. This tactic could be used in phishing scams that attempt to trick people into believing they are on a legitimate site, when in fact they are viewing a fraudulent Web page.

Phishing is a prevalent type of online scam that seeks to pilfer personal information from unsuspecting Internet users. The scams typically combine spam e-mail with fraudulent Web sites that appear to come from a trusted source, such as a credit card company or a bank.

The flaw exists because of an error in the way the Microsoft Web browser loads Web pages and Macromedia Flash animations, according to Secunia. The company rates the issue "moderately critical" and has created a special Web page where users can test their Web browser to see if they are affected.

Secunia has confirmed that the vulnerability affects IE 6.0 on Windows XP with all current security patches. It also affects the latest IE 7 Beta release, Secunia said. Other versions may also be affected, it said.

Microsoft is investigating the newly reported flaw, a representative said in an e-mailed statement late Wednesday. "Our initial investigation has revealed that customers who have set their Internet security settings to high, or who have disabled active scripting, are at reduced risk from attack as the attack vector requires scripting," the representative said.

Additionally, Microsoft noted that it has not seen any active attacks that take advantage of this issue, which Secunia has dubbed the "Internet Explorer Window Loading Race Condition Address Bar Spoofing" flaw.

This is the fourth unpatched vulnerability for IE that has become public in the last few weeks. Microsoft plans to release a security update for the Web browser on Tuesday. At least one of the disclosed bugs will be fixed in that update, the company has said. That flaw, related to how IE handles the "createTextRange()" tag in Web pages, has been exploited in attacks to install spyware, remote-control software and Trojan horses on vulnerable PCs.

See more CNET content tagged:
phishing, flaw, Microsoft Internet Explorer, vulnerability, attack

46 comments

Join the conversation!
Add your comment
Temporary workaround?
I just used Securia's test page on my regular browser (FireFox 1.5.0.1) and it passed. I then used Internet Explorer 6 (fully updated and patched) but it too passed. Here's why as near as I can tell:

I have customized security settings on my installation of Internet Explorer. The page was unable to take advantage of the vulnerability because I have "Navigate sub-frames across different domains" set to "Prompt". By default, this setting is set to "allow".

If you are using Internet Explorer and are concerned about this vulnerability, you should be able to plug the hole (at least until MS releases a patch) by changing this particular setting. Then when you visit a page that attempts to exploit this hole you'll see a prompt that asks whether you want to allow "sub-frames to navigate across different domains". Just choose "no" and you ought to be alright. -ja
Posted by supercoolpcguy (20 comments )
Reply Link Flag
Didn't work for me
I to generally use firefox, but I tested IE. It came up vulnerable. Changing the sub frames setting didn't work for me.

Turning active scripting of did work.
Posted by tonycb (25 comments )
Link Flag
Temporary workaround?
I just used Securia's test page on my regular browser (FireFox 1.5.0.1) and it passed. I then used Internet Explorer 6 (fully updated and patched) but it too passed. Here's why as near as I can tell:

I have customized security settings on my installation of Internet Explorer. The page was unable to take advantage of the vulnerability because I have "Navigate sub-frames across different domains" set to "Prompt". By default, this setting is set to "allow".

If you are using Internet Explorer and are concerned about this vulnerability, you should be able to plug the hole (at least until MS releases a patch) by changing this particular setting. Then when you visit a page that attempts to exploit this hole you'll see a prompt that asks whether you want to allow "sub-frames to navigate across different domains". Just choose "no" and you ought to be alright. -ja
Posted by supercoolpcguy (20 comments )
Reply Link Flag
Didn't work for me
I to generally use firefox, but I tested IE. It came up vulnerable. Changing the sub frames setting didn't work for me.

Turning active scripting of did work.
Posted by tonycb (25 comments )
Link Flag
Just uninstall IE....
Oh wait....thanks microsoft ;-)
Posted by tonycb (25 comments )
Reply Link Flag
Not possible
If you are using Windows then it's not possible to uninstall IE, even though it gives that that option IE still comes back up. This is because it is a critical component of Windows, it's pretty much the same thing as Windows Explorer, so technically you are using IE to browse My Computer folder. What I have done is made Firefox my default browser and deleted all IE shortcuts. I would suggest the same for you.
______________________________
R.K.
<a class="jive-link-external" href="http://www.Remove-All-Spyware.com" target="_newWindow">http://www.Remove-All-Spyware.com</a>
Posted by Roman12 (214 comments )
Link Flag
Just uninstall IE....
Oh wait....thanks microsoft ;-)
Posted by tonycb (25 comments )
Reply Link Flag
Not possible
If you are using Windows then it's not possible to uninstall IE, even though it gives that that option IE still comes back up. This is because it is a critical component of Windows, it's pretty much the same thing as Windows Explorer, so technically you are using IE to browse My Computer folder. What I have done is made Firefox my default browser and deleted all IE shortcuts. I would suggest the same for you.
______________________________
R.K.
<a class="jive-link-external" href="http://www.Remove-All-Spyware.com" target="_newWindow">http://www.Remove-All-Spyware.com</a>
Posted by Roman12 (214 comments )
Link Flag
At this point...people that still use I.E. ....
At this point, people that still use I.E. get what they deserve.
Posted by anarchyreigns (299 comments )
Reply Link Flag
A few small risks
Are more than worth it than spending a long time optimizing other browsers for 1/2 of my max speed.

Currently, on decent sites, I can't download at any decent rate of speed with an alternative browser. With IE, I can get files at roughly 700+KB/s. FF doesn't get anywhere near half of that.

And you can't fault average joe user who has the internet for nothing more than email or web browsing for not using another browser. As most open source advocates would say, the main reason most people are using IE is because they don't know that an alternative exists.
Posted by Tomcat Adam (272 comments )
Link Flag
At this point...people that still use I.E. ....
At this point, people that still use I.E. get what they deserve.
Posted by anarchyreigns (299 comments )
Reply Link Flag
A few small risks
Are more than worth it than spending a long time optimizing other browsers for 1/2 of my max speed.

Currently, on decent sites, I can't download at any decent rate of speed with an alternative browser. With IE, I can get files at roughly 700+KB/s. FF doesn't get anywhere near half of that.

And you can't fault average joe user who has the internet for nothing more than email or web browsing for not using another browser. As most open source advocates would say, the main reason most people are using IE is because they don't know that an alternative exists.
Posted by Tomcat Adam (272 comments )
Link Flag
What a piece of CR@P!
Set IE to highest possible security setting and never use it again, unless you absolutely have to. I hope microsoft starts a contest to win $50,000 for every security bug people find before they release their new version of IE. They can afford it, and it will save them lots of face in the future. It will take a lot for me to gain the trust back in IE.
Posted by rtuinenburg (171 comments )
Reply Link Flag
They can't afford a contest
The rate at which we see IE bugs...at $50,000/bug discovered, they will quickly burn through their cash reserves. Better solution, remove IE and all its hidden components and start bundling Firefox with windows.
Posted by The_Nirvana (104 comments )
Link Flag
C2 Security Concerns
C2 Security Stipulates to STOP all unnecessary processes and uninstall all unnecessary applications.

Since Firefox has come about... many people have deemed IE unnecessary.

Only problem is... there's no way to follow C2 guidelines for uninstalling it and stopping all the services related with it!!!

Walt
Posted by wbenton (522 comments )
Link Flag
What a piece of CR@P!
Set IE to highest possible security setting and never use it again, unless you absolutely have to. I hope microsoft starts a contest to win $50,000 for every security bug people find before they release their new version of IE. They can afford it, and it will save them lots of face in the future. It will take a lot for me to gain the trust back in IE.
Posted by rtuinenburg (171 comments )
Reply Link Flag
They can't afford a contest
The rate at which we see IE bugs...at $50,000/bug discovered, they will quickly burn through their cash reserves. Better solution, remove IE and all its hidden components and start bundling Firefox with windows.
Posted by The_Nirvana (104 comments )
Link Flag
C2 Security Concerns
C2 Security Stipulates to STOP all unnecessary processes and uninstall all unnecessary applications.

Since Firefox has come about... many people have deemed IE unnecessary.

Only problem is... there's no way to follow C2 guidelines for uninstalling it and stopping all the services related with it!!!

Walt
Posted by wbenton (522 comments )
Link Flag
IE 7 As Bad As IE 6
The last couple of browser security issues have shown up in IE 7 as well as older versions of IE. So what does this say about MS claims that the Geritol Tonic for what ails you will be IE 7? It is more like Jim Jones Coolaid.
Posted by maxwis (141 comments )
Reply Link Flag
IE 7 As Bad As IE 6
The last couple of browser security issues have shown up in IE 7 as well as older versions of IE. So what does this say about MS claims that the Geritol Tonic for what ails you will be IE 7? It is more like Jim Jones Coolaid.
Posted by maxwis (141 comments )
Reply Link Flag
That's the price of using a defective product.....
.... and IE is about as defective as you can get. I stopped using it
years ago.
Posted by Earl Benser (4310 comments )
Reply Link Flag
That's the price of using a defective product.....
.... and IE is about as defective as you can get. I stopped using it
years ago.
Posted by Earl Benser (4310 comments )
Reply Link Flag
Firefox Newbie Very Impressed
In response to IE's recent series of unpatched security holes I installed Firefox for the first time. Security concerns aside, I find it to be faster, better, and of a more advanced design than IE.
Posted by john55440 (1020 comments )
Reply Link Flag
Extensions
I switched over to Firefox some time back and continue to use it over Internet Explorer the large majority of the time.

If you're new to Firefox, might I suggest checking out "extensions" (available from <a class="jive-link-external" href="https://addons.mozilla.org/extensions/" target="_newWindow">https://addons.mozilla.org/extensions/</a>). Extensions are basically small packages that integrate with the Firefox browser to add any number of new functions and browsing enhancements. Some of my favorites that you might want to look into for starters are:

" Adblock - automatically blocks/removes unwanted advertisements from web pages you view.
" Adblock Filterset.G Updater - automatically updates Adblock's list of blacklisted addresses.
" Colorful tabs - makes each tab a different color when using multiple tabs. Very handy.
" Copy plain text - copy text without formatting
" Google preview - adds thumbnail views of webpages to your Google results.

Those are just a handful; there are MANY more.
Posted by supercoolpcguy (20 comments )
Link Flag
Firefox Newbie Very Impressed
In response to IE's recent series of unpatched security holes I installed Firefox for the first time. Security concerns aside, I find it to be faster, better, and of a more advanced design than IE.
Posted by john55440 (1020 comments )
Reply Link Flag
Extensions
I switched over to Firefox some time back and continue to use it over Internet Explorer the large majority of the time.

If you're new to Firefox, might I suggest checking out "extensions" (available from <a class="jive-link-external" href="https://addons.mozilla.org/extensions/" target="_newWindow">https://addons.mozilla.org/extensions/</a>). Extensions are basically small packages that integrate with the Firefox browser to add any number of new functions and browsing enhancements. Some of my favorites that you might want to look into for starters are:

" Adblock - automatically blocks/removes unwanted advertisements from web pages you view.
" Adblock Filterset.G Updater - automatically updates Adblock's list of blacklisted addresses.
" Colorful tabs - makes each tab a different color when using multiple tabs. Very handy.
" Copy plain text - copy text without formatting
" Google preview - adds thumbnail views of webpages to your Google results.

Those are just a handful; there are MANY more.
Posted by supercoolpcguy (20 comments )
Link Flag
CallingID protects users from scam using this hole
When you use Callingid (free download at www.callingid.com) you are automatically protected from a scammer using this hole - you see the real owner of the site
Posted by ba_oren (16 comments )
Reply Link Flag
CallingID protects users from scam using this hole
When you use Callingid (free download at www.callingid.com) you are automatically protected from a scammer using this hole - you see the real owner of the site
Posted by ba_oren (16 comments )
Reply Link Flag
Another Copy/Paste headline
It was almost a week since the last one, wow.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
Another Copy/Paste headline
It was almost a week since the last one, wow.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.