Microsoft's updated web browser has an old vulnerability that could let online criminals capture sensitive information such as passwords, a Danish security company reported on Monday.
"A vulnerability has been discovered in Internet Explorer 7, which can be exploited by malicious people to spoof the content of websites," Secunia said in an advisory posted to its website on Monday.
"The problem is that a website can inject content into another site's window if the target name of the window is known," the advisory states.
The flaw is virtually identical to one found in Internet Explorer 6 almost two years ago.
Microsoft could not immediately be reached for comment.
The so-called window injection vulnerability could let a specially designed website insert content into a pop-up window opened on a trusted site such as a bank.
The spoofed pop-up window could be used to trick people into revealing sensitive information, thinking that they are dealing with a legitimate site.
"Do not browse untrusted sites while browsing trusted sites," Secunia advises.
The company has constructed a test, available on its website, to help people assess whether their web browser is susceptible to the phishing vulnerability.
Secunia rated the problem as "moderately critical," its third-highest rating on a five-point scale.
Last week, Secunia reported a different IE7 vulnerability could allow a scam website to open a pop-up browser window that contains a faked internet address, exposing the browser's users to potential phishing attempts.