IE7 flaw could expose users to phishing attacks: report

A reported flaw in the newest version of Microsoft's web browser could leave its users susceptible to fraud attacks of the sort that Internet Explorer 7 was built to stop.

The vulnerability could allow a scam website to open a pop-up browser window that contains a faked internet address, exposing Internet Explorer 7 (IE7) users to potential phishing attempts, according to an advisory issued by Secunia on Wednesday.

Phishing is a type of fraud usually conducted through e-mail or websites in which criminals try to obtain sensitive information such as credit card numbers and bank passwords by fooling people into thinking they are communicating with a trusted party.

The IE7 weakness could let a fraudster trick people into thinking they are on a website that they trust by displaying part of a legitimate address at the beginning of the URL (an acronym for uniform resource locator), the Danish security company said.

"The problem is that it's possible to display a popup with a somewhat spoofed address bar where a number of special characters have been appended to the URL," the alert published on Secunia's website says. "This makes it possible to only display a part of the address bar, which may trick users into performing certain unintended actions."

Secunia has assessed the spoofing exploit as "less serious" its second-least critical rating on a five-point scale and advises people not to follow internet links they receive from unknown or untrusted sources.

Microsoft investigating

In a post to the Microsoft Security Response Center blog on Wednesday, the company said it is investigating the report and stressed that the browser's built-in tools should block attacks.

"In IE7, the Microsoft phishing filter can help protect should any phishing sites attempt to exploit this issue," Christopher Budd wrote. "We're not aware of any attacks that are attempting to use this, but as always we will continue to monitor the situation throughout our investigation."

The world's largest software maker advised people to follow measures outlined on its website to ensure they don't fall victim to any scams.

"Our general guidance as far as things you can do to help protect yourself against phishing attacks can help protect here. Specifically that you should never enter personal information into a website unless you've verified the server's name," Budd wrote.

Last week, Secunia reported a vulnerability in IE7 a day after the new software was released. Microsoft said the problem was actually with another Windows program, Outlook Express, but it could be activated through IE7, letting an attacker gain access to documents over the internet.