Posted by Virus Bulletin on Oct 31, 2006
More phishing issues found, not a big problem says MS.
A second bug was spotted late last week in Microsoft's recently-released Internet Explorer 7, which could allow malicious phishers to spoof the contents of the address bar, leading users to wrongly believe they are on a legitimate site. Since then, another more serious problem has been found by researchers at Secunia, which some reports suggest could also affect users of Mozilla Firefox, including the latest version 2.0.
Both issues are legacy problems, also affecting older versions of IE. The latest, which could be used to inject content into a window popped up by another site, is another phishing risk which could fool users into trusting suspect information, and possibly handing over sensitive details. As the problem is related to Javascript, Firefox could also be hit in a similar way, and indeed Secunia has released a test tool which some researchers have found to work on the Mozilla browser. The problem was first reported, affecting multiple browsers, in 2004.
Microsoft has issued statements about both the vulnerabilities, insisting that users exercising proper precautions are not at risk. According to their blog entries, those faced with a window opened by a legitimate site but carrying spoofed data should be taking care anyway, double-checking the address, and should also spot the absence of SSL connection indicators. These same indicators should also help those shown faked address bar contents, as should Microsoft's new anti-phishing services.
'There has been a torrent of browser vulnerability announcements in the last few months,' said John Hawes, Technical Consultant at Virus Bulletin. 'It seems that staying up-to-date with patches and updates, and running solid security software, is no longer enough to keep Internet users safe. We are expected to maintain constant vigilance and a paranoid attitude to everything we find on the web. Having some in-depth knowledge, both of how our own software tries to protect us and of how the attacks from the bad guys work, is also becoming more and more vital to surviving the online jungle.'
Secunia's advisories are here and here, while the Microsoft blog entries can be found here and here. A report on the first IE7 vulnerability, also denied by Microsoft, is here.
The browser provided by ISP giant AOL, meanwhile, was also reported to have suffered vulnerabilities last week, some 11 days after AOL were informed of the problems, and two days after fixes were released. The two buffer overflow issues in the ActiveX controls could easily be exploited for remote code execution, and are labelled 'highly critical' by Secunia - their alert is here, while more detailed reports from iDefense are here and here.
Posted on 31 October 2006 by Virus Bulletin
