Thursday, March 15, 2007

Another MS VISTA and IE 7 related problem.

An attacker can use an error message displayed by the latest Microsoft browser IE 7 to send Web surfers to malicious Web sites that will display with the address of a trusted site, such as a bank, Aviv Raff, a developer in Israel, wrote on his Web site. Raff included an example where the error message directs the Web surfer to a site of his choice. Microsoft is looking into the issue at this moment. The vulnerability relates to the message IE displays when Web page loading is aborted, Raff wrote. An attacker can rig the message by creating a malicious link. The message will offer a link to retry loading the page; hitting it, brings up the attacker's page, but showing an arbitrary Web address. To launch a phishing attack, an attacker can create a Web link that purports to go to a trusted site, such as a bank. When clicked, the link results in a rigged error page. Following the reload link on that page will display the attacker's Web site with the address of the trusted site in the IE 7 address bar. Phishing attacks are a prevalent Internet threat that typically use fraudulent Web sites and spam e-mail to trick people into giving up personal information such as Social Security numbers and credit card details. IE 7 on Windows Vista and Windows XP are affected.