Patch/Configuration Management, Vulnerability Management

Secunia, Microsoft disagree on another reported Internet Explorer 7 flaw

Researchers have discovered another flaw in Microsoft's Internet Explorer 7 (IE7) web browser, just released two weeks ago, that could allow attackers to steal a user's personal information through pop-up windows.

The vulnerability was first discovered two years ago in Microsoft's Internet Explorer 6 (IE6), according to Secunia. Microsoft, however, denied that the issue is a vulnerability.

An attacker can exploit the flaw by using a malicious website to inject content into a trusted site's pop-up window if the pop-up's target name is known. The attacker can then spoof the content of a pop-up window that had been opened on a trusted site.

Thomas Kristensen, Secunia CTO, said today that IE7 is vulnerable in its default configuration to such an exploit.

"This issue could be fixed in IE6 by setting the ‘navigate sub-frames across different domains' to disable. This setting is now disabled by default in IE7, but this does not appear to have any effect," he said. "The problem is that it is possible for a malicious website to inject new content into a pop-up window, which has been opened by a trusted site. This will trick many users and cause the user to believe that the content is served from the trusted site."

A company spokesperson said today that Redmond has investigated reports of the flaw and determined that it is not a vulnerability.

"The report describes a by-design behavior in popular web browsers that allows a website to open or re-use a pop-up window," the spokesperson said.

The spokesperson also recommended that PC users verify HTTPs before typing personal information into a pop-up window.

Secunia last week reported a vulnerability in IE7 that could be exploited during phishing attacks.

Just hours after it was released, researchers warned of a flaw in redirection handling for URLs with the mhtml: URI handler. Microsoft and Secunia had disagreed on that flaw as well, with Redmond contending that the issue was actually located within Outlook Express and not IE7.


Click here to email Frank Washkuch Jr.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.