Microsoft Internet Explorer XSS vulnerabilty could provide bite for phishers

Share this article:

Microsoft's Internet Explorer 7 (IE7) is vulnerable to cross-site scripting that could allow attackers to spoof a trusted site to launch a phishing attack.

Vulnerability tracking firm Secunia ranks the flaw, discovered by Israeli researcher Aviv Raff, as "less critical."

Attackers are able to inject script into the "Refresh the page" link that appears on a webpage when navigation to a particular site is canceled. Cyberthieves can then lead unsuspecting users to a phishing site.

"The victim will think that there was an error in the site or some kind of network error and will try to refresh the page," Raff said on his website. "Once he will click on the "Refresh the page" link, the attacker’s provided content (e.g. fake login page) will be displayed and the victim will think that he’s within the trusted site because the address bar shows the trusted site’s URL."

Microsoft is investigating the "possible" vulnerability and was not aware of any customers being affected, a company spokesman told today in an email.

Raff said the bug could be exploited to launch a phishing attack if the user wants to get to a banking, ecommerce or social networking site, for example. But the flaw likely cannot be taken advantage of to execute remote code, he added.

"To perform a phishing attack, an attacker can create a specially crafted navcancl.htm (which signals a canceled navigation) local resource link that will display fake content of a trusted site," Raff said.

Secunia said in an advisory today that users should only follow links from trusted sources and should not click on the "Refresh the page" link when located on a "Navigation Canceled" page.

Click here to email reporter Dan Kaplan.


Share this article:

Sign up to our newsletters

More in News

Research shows vulnerabilities go unfixed longer in ASP

Research shows vulnerabilities go unfixed longer in ASP

A new report finds little difference in the number of vulnerabilities among programming languages, but remediation times vary widely.

Bill would restrict Calif. retailers from storing certain payment data

The bill would ban businesses from storing sensitive payment data, for any long than required, even if it is encrypted.

Amplification, reflection DDoS attacks increase 35 percent in Q1 2014

Amplification, reflection DDoS attacks increase 35 percent in ...

The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise.