Microsoft probing Internet Explorer phishing flaw
Last Updated: Thursday, March 15, 2007 | 5:38 PM ET
CBC News
Related
External Links
(Note: CBC does not endorse and is not responsible for the content of external sites - links will open in new window)
A reported flaw in Internet Explorer that could let someone "easily conduct phishing attacks" against the web browser's users is under investigation, Microsoft Corp. said Thursday.
Danish security company Secunia ApS on Thursday issued an advisory about a flaw in the way the latest version of the web browser — Internet Explorer 7 — handles navigation, after being alerted by an independent researcher.
It is possible for an attacker to create a link to a phishing site, such as one designed to look like an online bank, through a specially crafted error page that appears in the browser.
| JARGON |
| Phishing is a technique in which criminals try to trick people into disclosing sensitive information such as online banking names and passwords and is often conducted through e-mails. |
"Microsoft is investigating a new report of a possible vulnerability in Internet Explorer," Bruce Cowper, senior program manager for the security initiative at Microsoft Canada, said in a statement e-mailed to CBC News Online by the company's public relations agency.
"Microsoft is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary," the statement continued.
"When the investigation is complete, Microsoft will take the appropriate action to protect our customers. These actions may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs."
No such advisory had been issued by early Thursday evening.
Microsoft has been touting the new anti-phishing and enhanced security features of its browser since it released the software in fall 2006.
Independent researcher found flaw
The problem was discovered by independent Israeli security researcher Aviv Raff, who reported it to Microsoft, he told CBC News Online Thursday.
"I was talking with them about other [vulnerabilities] and mentioned I was going to publish it," he said, adding that the world's largest software maker has not confirmed his findings or been in contact with him since then.
Raff publicly disclosed the vulnerability in a post on his blog on Wednesday.
When a person going to a web page cancels that navigation, its URL (universal resource locator) or website address is passed on to a so-called browser resource page on the computer, "navcancl.htm."
That resource creates a link so the user can reload or refresh the page of the site they were trying to visit. It is possible for an attacker to "inject" a script into the generated "refresh the page" link, and the user would go there when the page is refreshed, Raff wrote.
"To perform a phishing attack, an attacker can create a specially crafted navcancl.htm local resource link with a script that will display a fake content of a trusted site," Raff wrote.
Trusted sites could include an online bank, eBay or any other sites that people believe are secure.
Because the navcancl.htm resource would display the original site's URL in the address bar, users would have no idea that they were being guided to a false site designed to mimic the appearance of one that they trust, Raff said.
Safeguards mitigate risk
However, because Internet Explorer 7 handles many of its local resources within the restricted "Internet Zone" security settings of the browser, it should not pose a great threat to people who make use of the tool, Raff noted.
Secunia described the vulnerability as "less critical" — its second-lowest ranking on a five-point scale — and advised people to exercise caution when they are using Internet Explorer 7.
"Do not click the 'Refresh the page' link when the 'Navigation Canceled' page is displayed," Secunia's note said, also warning people not to click on links from "untrusted" sources.
Versions of Internet Explorer 7 that run on the Windows XP operating system and later versions are affected by the vulnerability, Secunia said, noting that other installments of the browser may also be at risk.
Share Tools
Top News Headlines
- HMCS Corner Brook collision damage extensive
- The damage done to HMCS Corner Brook when it hit the ocean floor off B.C.'s coast last summer was more extensive than first reported, CBC News has learned by obtaining exclusive pictures of the submarine. more »
- Mandatory gun sentence struck down by Ontario judge
- An Ontario Superior Court judge has struck down a mandatory minimum sentence for a first offence of possessing a loaded firearm. more »
- O Canada! 12 Flag Day stories of patriotism
- Ahead of tomorrow's Flag Day celebrations, our readers shared some of their proudest Canadian moments. Here are some of the best. more »
- UN raises fears of civil war in Syria
- Syrian government forces renewed their assault on the rebellious city of Homs on Tuesday, activists said, as the UN human rights chief raised fears of civil war. more »
Latest Technology & Science News Headlines
- Canada dropping the ozone ball, scientists warn
- Leading atmospheric scientists are warning that Canada's cuts to its ozone monitoring program are already having effects on the world's ability to monitor air quality and ozone depletion. more »
- Ban Wi-Fi in classroom, Ontario teachers union urges
- The Ontario English Catholic Teacher's Association says computers in all new schools should be hardwired instead of setting up wireless networks, citing safety concerns. more »
- How to think like a Neanderthal
- A lack of creativity and the inability to innovate may have led to the extinction of the Neanderthals, two researchers argue in a book that aims to get inside the Neanderthal mind. more »
- FBI seeks social media data mining tool
- The U.S. government is seeking software that can mine social media to predict everything from future terrorist attacks to foreign uprisings, according to requests posted online by federal law enforcement and intelligence agencies. more »
Bob McDonald's Blog
Glacier Discovery Walk: Will the visitor centre enhance the view? Feb. 10, 2012 3:17 PM Environment minister Peter Kent has announced the construction of a new Glacier Discovery Walk and visitor centre on the Icefields Parkway in Jasper National Park. It raises the issue of how to balance commercial development in our National Parks against the preservation of the last refuges of wilderness.
Quirks & Quarks
- February 11: Inside the Mind of a Neandertal Feb. 10, 2012 4:01 PM Can we get inside the mind of a species that's been dead for 30,000 years? A new book, How to Think Like a Neanderthal, suggests we can. The authors reconstruct a creature like us in many ways, but with important differences.
Latest Features
- HMCS Corner Brook collision damage extensive
- Whitney Houston's body now at N.J. funeral home
- Online surveillance critics siding with child porn: Toews
- Mandatory gun sentence struck down by Ontario judge
- Stanley Cup rioter seen in brick attack on cop
- Whitney Houston estate value set to soar
- Man pleads guilty to murder of stepdaughter, 17
- Whitney Houston's body headed home to New Jersey
- HIV-positive B.C. man jailed for assault, child porn
