Microsoft's new browser haunted by old flaw

Microsoft's IE7 browser is affected by a two-year old problem first found to affect IE6

A security problem originally found in Microsoft's Internet Explorer 6 browser has returned to haunt IE7, the new version of the browser launched two weeks ago, a security consultant said Monday.

Danish security consultancy Secunia posted an advisory regarding an issue where an attacker could potentially snare logins and passwords from an unsuspecting IE7 user. Over two years ago, security researchers reported the same fault in IE6.

If a user visits a website specially crafted by an attacker, and then opens a "trusted" site such as a bank or e-commerce site that has a pop-up window, the attacker can put new content into the pop-up, said Thomas Kristensen, Secunia's chief technology officer. This could enable the attacker to ask a user for financial information or passwords, he said.

When the problem was revealed in June 2004, Microsoft gave instructions for a workaround for IE6: disable the setting "Navigate sub-frames across different domains." That setting is disabled by default in IE7, but does not appear to prevent the attack, Kristensen said.

Microsoft has been notified of the flaw, which was submitted to Secunia by a user, Kristensen said. Microsoft officials did not have an immediate comment on Monday morning.

Secunia rated the problem as "moderately critical," but Kristensen said the company was not aware of sites trying to exploit the flaw.

An alert user might notice that they're under attack: Since the URL for the pop-up window is visible, it may be possible to identify a fraudulent request for password information, for example. But "it would require you to pay some attention to the address bar," Kristensen said.

However, a clever attacker could also use this problem in combination with a pop-up spoofing weakness identified last week. Microsoft hasn't patched that problem.

Following IE7's release on Oct. 18, Secunia found a problem it shared with IE6. The vulnerability allowed an attacker to potentially read information from a secure website if the user had also opened a maliciously crafted website. Microsoft said that the problem is actually in code called by the browsers in another application, Outlook, which remains unpatched.

Join the PC World newsletter!

Error: Please check your email address.

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?