Microsoft probing Internet Explorer phishing flaw
Last Updated: Thursday, March 15, 2007 | 5:38 PM ET
CBC News
Related
External Links
(Note: CBC does not endorse and is not responsible for the content of external sites - links will open in new window)
A reported flaw in Internet Explorer that could let someone "easily conduct phishing attacks" against the web browser's users is under investigation, Microsoft Corp. said Thursday.
Danish security company Secunia ApS on Thursday issued an advisory about a flaw in the way the latest version of the web browser — Internet Explorer 7 — handles navigation, after being alerted by an independent researcher.
It is possible for an attacker to create a link to a phishing site, such as one designed to look like an online bank, through a specially crafted error page that appears in the browser.
| JARGON |
| Phishing is a technique in which criminals try to trick people into disclosing sensitive information such as online banking names and passwords and is often conducted through e-mails. |
"Microsoft is investigating a new report of a possible vulnerability in Internet Explorer," Bruce Cowper, senior program manager for the security initiative at Microsoft Canada, said in a statement e-mailed to CBC News Online by the company's public relations agency.
"Microsoft is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary," the statement continued.
"When the investigation is complete, Microsoft will take the appropriate action to protect our customers. These actions may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs."
No such advisory had been issued by early Thursday evening.
Microsoft has been touting the new anti-phishing and enhanced security features of its browser since it released the software in fall 2006.
Independent researcher found flaw
The problem was discovered by independent Israeli security researcher Aviv Raff, who reported it to Microsoft, he told CBC News Online Thursday.
"I was talking with them about other [vulnerabilities] and mentioned I was going to publish it," he said, adding that the world's largest software maker has not confirmed his findings or been in contact with him since then.
Raff publicly disclosed the vulnerability in a post on his blog on Wednesday.
When a person going to a web page cancels that navigation, its URL (universal resource locator) or website address is passed on to a so-called browser resource page on the computer, "navcancl.htm."
That resource creates a link so the user can reload or refresh the page of the site they were trying to visit. It is possible for an attacker to "inject" a script into the generated "refresh the page" link, and the user would go there when the page is refreshed, Raff wrote.
"To perform a phishing attack, an attacker can create a specially crafted navcancl.htm local resource link with a script that will display a fake content of a trusted site," Raff wrote.
Trusted sites could include an online bank, eBay or any other sites that people believe are secure.
Because the navcancl.htm resource would display the original site's URL in the address bar, users would have no idea that they were being guided to a false site designed to mimic the appearance of one that they trust, Raff said.
Safeguards mitigate risk
However, because Internet Explorer 7 handles many of its local resources within the restricted "Internet Zone" security settings of the browser, it should not pose a great threat to people who make use of the tool, Raff noted.
Secunia described the vulnerability as "less critical" — its second-lowest ranking on a five-point scale — and advised people to exercise caution when they are using Internet Explorer 7.
"Do not click the 'Refresh the page' link when the 'Navigation Canceled' page is displayed," Secunia's note said, also warning people not to click on links from "untrusted" sources.
Versions of Internet Explorer 7 that run on the Windows XP operating system and later versions are affected by the vulnerability, Secunia said, noting that other installments of the browser may also be at risk.
Share Tools
Top News Headlines
- Everest victim's husband says family not seeking government help
- The husband of a Toronto woman who died trying to climb Mt. Everest on Saturday says his family is not seeking government help to cover the cost of bringing his wife's body home. more »
- B.C. premier unhappy with disgraced Mountie's transfer
- B.C. Premier Christy Clark says she is not happy with the RCMP decision to transfer a disgraced Alberta Mountie to the West Coast. more »
- Henrique's OT goal sends Devils into Stanley Cup final
- The New Jersey Devils will vie for a potential fourth Stanley Cup in franchise history after defeating the New York Rangers in six games in the Eastern final, courtesy of rookie Adam Henrique's goal early in overtime. more »
- Employment Insurance review boards to be scrapped
- The federal government is scrapping two review boards used by people appealing decisions made about their employment insurance. more »
Latest Technology & Science News Headlines
- Unloading of docked SpaceX capsule to start Saturday
- The privately bankrolled SpaceX Dragon capsule made a historic arrival at the International Space Station on Friday, and astronauts will begin unloading some of the 544 kilograms of food, water, clothing and other supplies its carrying starting Saturday. more »
- South Africa, Australia to share world's largest telescope
- South Africa and Australia will jointly host the Square Kilometre Array, which promises to be the world's largest telescope, the international consortium in charge of the project said Friday. more »
- Bonavista, N.L., 'coyote' was really wolf, tests confirm
- Wolves have not been seen in Newfoundland since around 1930 and were believed to have been hunted to extinction on the island, but genetic tests have confirmed that an 82-pound animal shot on the Bonavista Peninsula in March was, in fact, a wolf. more »
- Once-rare argus butterfly thriving thanks to climate change
- Global warming is threatening the existence of many species, such as the giant polar bear, but in the case of Britain's brown argus butterfly, it took a species in trouble and made it thrive. more »
- Yahoo scraps digital magazine designed for iPad
- Yahoo has killed Livestand, a tablet magazine, just six months after its debut on the iPad. more »
Bob McDonald's Blog
Government to shut down unique fresh water research area May. 25, 2012 12:31 PM The Experimental Lakes Area research facility in Northern Ontario is being closed down after 44 years of providing invaluable data to scientists in Canada and internationally, a decision that has stunned researchers and environmental groups.
Quirks & Quarks
- May 26: Before the Lights Go Out May. 25, 2012 4:15 PM A new book, "Before the Lights Go Out: Conquering the Energy Crisis Before It Conquers Us", suggests that the unpredictable, unplanned, ad-hoc way our energy use developed in the past will shape our energy future.
Latest Features
- Aylmer triple stabbing leads to first-degree murder charges
- Everest victim's husband says family not seeking government help
- B.C. premier unhappy with disgraced Mountie's transfer
- Third B.C. salmon farm quarantined
- What a Greek euro exit could mean for Canada
- RCMP officer charged in fatal crash
- Canada ending 'Buffalo shuffle' for visas, closing consulate
- Reclaiming the dead on Mt. Everest
- Employment Insurance review boards to be scrapped
