October 25, 2006 4:45 PM PDT

Spoofing bug found in IE 7

Security experts have found a weakness in Internet Explorer 7 that could help crooks mask phishing scams, the type of attack Microsoft designed the browser to thwart.

IE 7, released last week, allows a Web site to display a pop-up that can contain a spoofed Web address, security monitoring company Secunia said Wednesday. An attacker could exploit this weakness to trick people into believing they are on a trusted Web site when in fact they are viewing a malicious page, Secunia said in an alert.

Image: IE 7 spoofing bug

"This makes it possible to only display a part of the address bar, which may trick users into performing certain unintended actions," Secunia said. The company has created a demonstration that shows a Microsoft Web address in the pop up window, but displays content from Secunia.

The problem lies in the way Web addresses are displayed in the IE 7 address bar, a Microsoft representative said in an e-mailed statement. An attacker could exploit the issue by tricking a user to click on a specially formatted link, the representative said.

The pop-up will block the left part of the Web address, Microsoft said. "Clicking in the browser window or in the address bar and scrolling within it will display the full URL, however," the company said. In case of the Secunia example, the true Secunia URL is revealed.

An attack won't work if a Web site is known to be part of a phishing scam, Microsoft said. The IE 7 phishing shield will identify such sites and warn the user, it said. Microsoft is not aware of any attacks that actually use the reported vulnerability, the company said.

IE 7 is the first major update to Microsoft's ubiquitous Web browser in five years. Security was the No. 1 investment for the update, Microsoft has said. The phishing protection has been a major focus for Microsoft, shielding against malicious Web sites designed to trick users into handing over their personal information.

The spoofing issue, rated "less critical" by Secunia, appears to be the first genuine, publicly disclosed flaw in the new Microsoft browser. An earlier problem, disclosed a day after the IE 7 release, lies in Outlook Express, not IE 7, Microsoft has said.

Microsoft will continue to look into the problem and may provide a browser patch to fix it, the company said. In addition, Microsoft chided the anonymous discloser of the flaw. The software maker prefers that security issues be disclosed privately so it can repair them before they get publicly known.

See more CNET content tagged:
Microsoft Internet Explorer 7, phishing, weakness, address bar, Microsoft Internet Explorer


Join the conversation!
Add your comment
Time to give up.
If someone is using IE they deserve to be scammed virus infected or what ever. It is not like Microsoft thanks the company's that find the flaws. Let Microsoft users rot.
Posted by ralfthedog (1589 comments )
Reply Link Flag
You're right.
Anyone dumb enough to fall for this "bug" should be using Firefox. I mean who clicks on pop-ups, especially one that looks like the on in the example? It's obvious the address is selected, and if you click anywhere in the window, the entire web address shows up.
Posted by BoredAgain (7 comments )
Link Flag
So what do you choose?
Ok, you suggest people to give up using IE. And then what do you propose?

IE display the small address bar in the popup window so that people can see what is the real address of that window. Previous version, if it is a window popup, you can't see what the real address of this window is. With IE7, the popup window will display the small address bar at the top so that user can decide if it is phising. I think, this is a good feature. The vulnerable reported is that someone put some spacing in the address so that the last part of the URL is shown, which can be used to put fake address. But if you click on the browser window or inside the window, the real address will appear from beginning. Beside, there is still one layer of phising filtering.

Ok, tell me how this feature works in Firefox. I try it in Firefox, it's all the same as previous IE without displaying any address bar at all. The popup become perfectly fine for phising, if the phising filtering fail. Stop complaining without reason.
Posted by Gunady (191 comments )
Link Flag
Posted by outcast357 (1 comment )
Link Flag
Time to give microsoft a break
It's actually time to give microsoft a break. I mean, how many attacks will REALLY do something like this, where a link is SOOOOOOOOOOOOO long that you can't see all of it? Not many, I'd wager.

This isn't even really a security 'vulnerability', it's a problem with the browsers that extends to Firefox and Opera as well.
Posted by Leria (585 comments )
Reply Link Flag
Nice try.....
You should get a paycheck from the M$ marketing dept. You
sound like such an apologist and tool for Billyboy. He is taking you
on a ride, all the way to his bank.
Posted by Dr Dude (49 comments )
Link Flag
did you read ?
did you actually read what the vulnerability is about ? The popup shows microsoft.com in the address bar and window caption but displays 3rd party's content (secunia).

Firefox and Opera is not affected like you suggest.

Give a break for Microsoft ?? what are talking about ? MS sucks in security. Look at their stupid OS and browser.
Posted by Hardrada (359 comments )
Link Flag
tell that to some poor schmuck who gets phished...
...let's face it: not everyone is a sysadmin. (In fact I personally know a CompSci professor who got pulled in by a phish because he didn't think anyone would target a small-ish Utah-based credit union...)

And no, it isn't as easily explained as some problem that "extends to Firefox and Opera as well".
Posted by Penguinisto (5042 comments )
Link Flag
didn't happen with me
Tried it out using IE but didn't experience what was described. It took me to Microsoft but I got the Microsoft content, the exact same behavior happened in Firefox. Did this happen to anyone else? I'm not an IE fan but are we looking to hard for flaws?
Posted by guyfromtrinidad (39 comments )
Reply Link Flag
look for the popup
In the popup, you will see the address bar saying www.microsoft.com but the content will be from another website (Secunia). Attacker can use it for phishing since user sees microsoft.com in window caption & address bar.
Posted by Hardrada (359 comments )
Link Flag
Browser war 2.0
Thanks for that, sorry to sound like a noob I wasn't looking at the popup.
The sad thing about this is that because of all the IE7 vs Firefox 2 hype you have hackers working overtime to break both browsers. And it will be interesting to see if there will be any effect on IE's market share as this situation progresses and the mainstream press picks it up (the browser wars 2.0 had major coverage on BBC already), as we already know you can expect FF vulnerabilities to be fixed much faster than MS.
Posted by guyfromtrinidad (39 comments )
Link Flag
Exactly why Microsoft can't provide proper security!
Quote: "Microsoft chided the anonymous discloser of the flaw.
The software maker prefers that security issues be disclosed
privately so it can repair them before they get publicly known."

Security Issues: Publicly unknown (the users), privately WELL
known (the hackers). Those wanting to do harm to your
computer have their own underground information network
where as the users are left waiting like sitting ducks while
Microsoft gets around to releasing fixes in their own sweet time.
Keep those anonymous disclosers coming, it's the only way to
force Microsoft to live up to their obligations.
Posted by imacpwr (456 comments )
Reply Link Flag
Happens in ALL versions of Firefox too!
This is not limited to just IE 7, Firefox 1 ~ 2 are vulnerable as well. I have not tested on the other browsers out there
Posted by Hardrada (359 comments )
Reply Link Flag
yup.. my ff did it..
went to ms and then i clicked and went back to secunia.

you could pop an enter your MS PASSPORT ID window in the secunia test, and show the microsoft.com screen, and you will have stolen the user's passport.
Posted by baswwe (299 comments )
Link Flag
I just tested Firefox 2 at Secunia
Firefox behaves the same way. The text that pops up with Firefox 2 is (copy and pasted)

Secunia - Popup Address Bar Spoofing Test

This page could easily have contained malicious information spoofed as being from Microsoft, asking you to install programs or disclose sensitive information such as credit card details.

This is only limited by the imagination of the attacker (phisher).

Close this window and return to Secunia

Secunia - Popup Address Bar Spoofing Test

Why is this reported as though it's only a problem on IE7?
Posted by mattumanu (599 comments )
Link Flag
Come On
Please... a popup that block part of the address but you can click on the address bar and the real address is still there? How is that a bug? That company is just looking for stuff to attack IE7. Last week, when this company found a 'bug' in IE7, it turned out to be a bug in Outlook Express and not even IE7.
Posted by Gasaraki (183 comments )
Reply Link Flag
No one is safe
It doesn't matter what browser you use, you can still be infected by a trojan, worm, spyware or a virus. You simply click on a link or run a program and bingo, you're infected.

It happened to someone that posted his story about it here at news.com He clicked on a link for a media player that thought was being used by myspace.com but it was a trojan. It filled his machine with spyware and made his life a living hell. He was using firefox at the time and that didn't protect him.

In the end, it doesn't matter which browser you use if you still click on the link or run the program. Don't be fooled, think before you click!
Posted by thedreaming (573 comments )
Reply Link Flag
Re: No one is safe
No one is perfectly safe, but the chances of "bingo, you're infected" become highly unlikely if you are running a relatively secure (i.e non-Windows) operating system.
Posted by rcrusoe (1305 comments )
Link Flag
Maxthon's not affected.
At least mine isn't. It shows
<a class="jive-link-external" href="http://secunia.com/result_22542/?  http://www.microsoft.com/" target="_newWindow">http://secunia.com/result_22542/?  http://www.microsoft.com/</a>

Which is weird since it's using the IE engine, but I think it's the way Maxthon does tabbed browsing.
Posted by ReVeLaTeD (755 comments )
Reply Link Flag
It's just word wrap? Goes away OnBlur?
If you click on the client (html rendered) area of the popup window, the "spoofed" address seems to go away and the beginning of the address is shown. You could also try clicking on combo box arrow to show the whole address or just taking away focus from the address bar.

Look like it's playing with the edit box's word wrapping to show the second line.
Posted by jeolmeun (49 comments )
Reply Link Flag
You haven't seen anything yet!
I'm going to make sure I have plenty of popcorn on hand when Vista comes out, so that I can enjoy the buttery goodness of fresh popped popcorn while I watch all the reports of Vista also popping like popcorn.

Vista, the "Windows ME" of the NT code base. Mark my words.
Posted by gernblan (71 comments )
Reply Link Flag
You haven't learnt anything about Vista yet.
I, on the other side, am going to make sure I read the comments of ignorant Microsoft-bashers like you, so that I can have a good laugh while I read the sad excuses of people who realize Vista is, afterall, secure. And when you say Vista is the "Windows ME" of the NT code base you simply show and proove you have absolutely no idea what you're talking about (which is, interestingly enough, very usual when criticising Microsoft) and absolutely no idea neither about the critical changes made in Windows Vista (like changes in the network stack and the blocked access to the core level of the OS, which includes the drivers and dll's) and tells me you are up to a big disappointment and sadness when you and other ignorants like you who show to know absolutely nothing about Vista realize Vista is, afterall, not that insecure. Mark my words.
Posted by Ryo Hazuki (378 comments )
Link Flag
Vista already available
The beta's have been available for months. Release candidate 1 is already available. I bet you were one of those people who stocked toilet paper for Y2K.
Posted by Seaspray0 (9714 comments )
Link Flag
This time Secunia = BS
This is issue which is no big deal for the following 3 reasons:
1. On the pop-up all you have to is cliack the dropdown list and the entire true URL appears, not just the bit the Hacker wants you to see.
2. IE7 contains a quality phishing filter.
3. Anyone who enters financial info on a random popup is asking to be get ripped off.
This is not a critical bug where the hacker can take over your PC. It is a social engineering exploit. Those who use common sense will be safe.
One more thing, google "CA Antivirus Microsoft" and you can get a free 12 month sub to CA Anti-virus. Also turn on automatic updates and use the windows firewall if using XP. Finally don't run dodgy software (ie Kazaa), don't visit dodgy websites (ie porn, gambling etc} and protect your email account.
Posted by Jamie_Foster (77 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.