Microsoft is investigating a possible vulnerability in Internet Explorer 7 that could help cybercrooks launch phishing scams, the company said Wednesday.
An attacker can use an error message displayed by the latest Microsoft browser to send Web surfers to malicious Web sites that will display with the address of a trusted site, such as a bank, Aviv Raff, a developer in Israel, wrote on his Web site. Raff included an example where the error message directs the Web surfer to a site of his choice.
Microsoft is looking into the issue, a representative said. "Microsoft is not aware of any attacks attempting to use the reported vulnerability," the representative said in an e-mailed statement. "Microsoft will continue to investigate... to help provide additional guidance for customers as necessary."
The vulnerability relates to the message IE displays when Web page loading is aborted, Raff wrote. An attacker can rig the message by creating a malicious link. The message will offer a link to retry loading the page; hitting it brings up the attacker's page, but showing an arbitrary Web address, he wrote.
To launch a phishing attack, an attacker can create a Web link that purports to go to a trusted site, such as a bank. When clicked, the link results in a rigged error page. Following the reload link on that page will display the attacker's Web site with the address of the trusted site in the IE 7 address bar, Raff wrote.
Phishing attacks are a prevalent Internet threat that typically use fraudulent Web sites and spam e-mail to trick people into giving up personal information such as Social Security numbers and credit card details.
IE 7 on Windows Vista and Windows XP are affected, Raff wrote.
Does MSFT Get a Cut of the Take on the Phishing Scams?
The company's entire operating system seems to be one enormous crime machine.
Hey, no software company could be this incompetent decade after decade with a specific purpose, could it?
There must be a profit angle for MSFT. Everyone, including most of the governments of the western world agree on one thing, that MSFT is a criminal enterprise organized to restrain trade. Ballmer is always screaming about 'killing Google', 'killing x', 'killing y', 'killing z', throwing chairs and appearing at events acting like John Gotti without manners.
So, Apple, Sun and even the Linux community should be taking a cut as well? Because their products get about the same number of vulnerabilities and holes (way more in the case of Apple) than Microsoft's. And yes, they are not nearly as exploited as Microsoft products are. But that's besides the point. You say that Microsoft cannot possibly be this incompetent. But the others apparently are?
This is another example that demonstrates the need of a real safe browsing solution, like CallingID toolbar. I when to the demo site set by Aviv Raff and CallingID told me that this is not CNN.
Like the crud of vista, ie7 is a top heavy offering with no real discernable benefit. In fact on the machines it was installed, it caused more errors and performance problems than any other version to date.
Actually, for a scammer to make use of this scam, he or she has to first lure the user to get to a real, undisguised URL. Then, from that the user can be redirected to a disguised URL. While this is certainly a flaw, it doesn't seem to be a big risk at all. BTW, I've been using VIsta for a few months, and I simply cannot go back. It works flawlessy, it is way more reliable than XP ever was and I haven't had a single security issue so far. If those are not compelling reasons, I don't know what they are. And yes, getting drivers for Vista used to be a pain, but at this point every driver for every device on my computer is available, so that seems not to be a big issue anymore.
Chinese authorities have reportedly taken iPads from a third-party retailer, a move apparently brought on by Apple's continued refusal to honor a trademark for the iPad name owned by a Chinese manufacturer.
NY professor believes that a word-based algorithm can help bring together those who believe, with one glimpse, that they have found and lost the love of their lives.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
This week, we pass around Sony's new PlayStation Vita for some hands-on testing, check out HP's newest Beats Audio laptop, and debate the best and worst Valentine's Day gadget gifts.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
Hey, no software company could be this incompetent decade after decade with a specific purpose, could it?
There must be a profit angle for MSFT. Everyone, including most of the governments of the western world agree on one thing, that MSFT is a criminal enterprise organized to restrain trade. Ballmer is always screaming about 'killing Google', 'killing x', 'killing y', 'killing z', throwing chairs and appearing at events acting like John Gotti without manners.
Hmmmm...
And yes, they are not nearly as exploited as Microsoft products are. But that's besides the point. You say that Microsoft cannot possibly be this incompetent. But the others apparently are?
While this is certainly a flaw, it doesn't seem to be a big risk at all.
BTW, I've been using VIsta for a few months, and I simply cannot go back. It works flawlessy, it is way more reliable than XP ever was and I haven't had a single security issue so far. If those are not compelling reasons, I don't know what they are.
And yes, getting drivers for Vista used to be a pain, but at this point every driver for every device on my computer is available, so that seems not to be a big issue anymore.
>>>An attacker can use<<<
Can means that it CAN be done.
But the title says:
>>>Microsoft probes possible IE 7 phishing hole<<<
If it's not possible, then it can't be done. Sorta makes reading a bit confusing.
So is it possible, but Microsoft has yet to confirm that it's possible or what?
Or is it not possible and people only suspect that it can be done?
Get your facts and report them clearly and concisely!!!
Walt