More phishing issues found, not a big problem says MS.
A second bug was spotted late last week in
Microsoft
‘s recently-released
Internet Explorer 7
, which could allow malicious phishers to spoof the contents of the address bar, leading users to wrongly believe they are on a legitimate site. Since then, another more serious problem has been found by researchers at
Secunia
, which some reports suggest could also affect users of
Mozilla Firefox
, including the latest version 2.0.
Both issues are legacy problems, also affecting older versions of
IE
. The latest, which could be used to inject content into a window popped up by another site, is another phishing risk which could fool users into trusting suspect information, and possibly handing over sensitive details. As the problem is related to
Javascript
,
Firefox
could also be hit in a similar way, and indeed
Secunia
has released a test tool which some researchers have found to work on the
Mozilla
browser. The problem was first reported, affecting multiple browsers, in 2004.
Microsoft
has issued statements about both the vulnerabilities, insisting that users exercising proper precautions are not at risk. According to their blog entries, those faced with a window opened by a legitimate site but carrying spoofed data should be taking care anyway, double-checking the address, and should also spot the absence of SSL connection indicators. These same indicators should also help those shown faked address bar contents, as should
Microsoft
‘s new anti-phishing services.
‘There has been a torrent of browser vulnerability announcements in the last few months,’ said
John Hawes
, Technical Consultant at Virus Bulletin. ‘It seems that staying up-to-date with patches and updates, and running solid security software, is no longer enough to keep Internet users safe. We are expected to maintain constant vigilance and a paranoid attitude to everything we find on the web. Having some in-depth knowledge, both of how our own software tries to protect us and of how the attacks from the bad guys work, is also becoming more and more vital to surviving the online jungle.’
Secunia
‘s advisories are
here
and
here
, while the
Microsoft
blog entries can be found
here
and
here
. A report on the first
IE7
vulnerability, also denied by
Microsoft
, is
here
.
The browser provided by ISP giant
AOL
, meanwhile, was also reported to have suffered vulnerabilities last week, some 11 days after
AOL
were informed of the problems, and two days after fixes were released. The two buffer overflow issues in the
ActiveX
controls could easily be exploited for remote code execution, and are labelled ‘highly critical’ by
Secunia
– their alert is
here
, while more detailed reports from
iDefense
are
here
and
here
.
Posted on 31 October 2006 by
Virus Bulletin
Leave a Reply