Two more IE7 bugs downplayed by Microsoft

Posted by   Virus Bulletin on   Oct 31, 2006

More phishing issues found, not a big problem says MS.

A second bug was spotted late last week in Microsoft's recently-released Internet Explorer 7, which could allow malicious phishers to spoof the contents of the address bar, leading users to wrongly believe they are on a legitimate site. Since then, another more serious problem has been found by researchers at Secunia, which some reports suggest could also affect users of Mozilla Firefox, including the latest version 2.0.

Both issues are legacy problems, also affecting older versions of IE. The latest, which could be used to inject content into a window popped up by another site, is another phishing risk which could fool users into trusting suspect information, and possibly handing over sensitive details. As the problem is related to Javascript, Firefox could also be hit in a similar way, and indeed Secunia has released a test tool which some researchers have found to work on the Mozilla browser. The problem was first reported, affecting multiple browsers, in 2004.

Microsoft has issued statements about both the vulnerabilities, insisting that users exercising proper precautions are not at risk. According to their blog entries, those faced with a window opened by a legitimate site but carrying spoofed data should be taking care anyway, double-checking the address, and should also spot the absence of SSL connection indicators. These same indicators should also help those shown faked address bar contents, as should Microsoft's new anti-phishing services.

'There has been a torrent of browser vulnerability announcements in the last few months,' said John Hawes, Technical Consultant at Virus Bulletin. 'It seems that staying up-to-date with patches and updates, and running solid security software, is no longer enough to keep Internet users safe. We are expected to maintain constant vigilance and a paranoid attitude to everything we find on the web. Having some in-depth knowledge, both of how our own software tries to protect us and of how the attacks from the bad guys work, is also becoming more and more vital to surviving the online jungle.'

Secunia's advisories are here and here, while the Microsoft blog entries can be found here and here. A report on the first IE7 vulnerability, also denied by Microsoft, is here.

The browser provided by ISP giant AOL, meanwhile, was also reported to have suffered vulnerabilities last week, some 11 days after AOL were informed of the problems, and two days after fixes were released. The two buffer overflow issues in the ActiveX controls could easily be exploited for remote code execution, and are labelled 'highly critical' by Secunia - their alert is here, while more detailed reports from iDefense are here and here.

Posted on 31 October 2006 by Virus Bulletin

 Tags

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VBSpam tests to be executed under the AMTSO framework

VB is excited to announce that, starting from the Q3 test, all VBSpam tests of email security products will be executed under the AMTSO framework.

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.