RealTime IT News

Another Bug Bites IE7

Yet another bug has been found in Microsoft's recently-released Internet Explorer 7 browser. The software giant is downplaying the flaw, which security experts say allows hackers to "spoof" Web addresses.

Reported by Danish security firm Secunia, the flaw hopes to trick IE7 users into clicking on seemingly legitimate Web destinations, a tactic known as "spoofing." Rather than arriving at the expected address, IE7 users instead find themselves the victim of phishing expeditions.

Microsoft, while responding it would investigate the report, downplayed the seriousness of the problem. "We're not aware of any attacks that are attempting this, but as always we will continue to monitor the situation throughout our investigation," Christopher Budd, security program manager of Microsoft's Security Response Center (MSRC) blogged Thursday.

Budd wrote that while the URL of the spoofed address is displayed in IE7's address bar, only the right side is initially seen. Scrolling through the URL will display the full address. Budd recommended users enable IE7's phishing filter. "The Microsoft Phishing Filter can help protect should any phishing sites attempt to exploit this issue," he wrote.

As internetnews.com reported last week, the first security vulnerability of the new browser appeared just hours after its release. That flaw, also posted by Secunia, targeted how redirections of "mhtml:" URLs were handled. The hole posed the risk of being exploited to cause IE7 users to access documents from another Web site.

While Microsoft said the error was in part of Outlook Express, not IE7, the software maker recommended users disable active scripting until it issued a patch.

"You don't need to pull the rip-cord," Yankee Group analyst Andrew Jaquith advised. Any new software release is going to be followed by a surge in vulnerabilities, he said.

Despite the security concerns, IE7 is certainly an improvement over the previous version of the popular Web browser. "IE6 was just band-aid after band-aid" of patches."

And although IE7 is more secure, we'll never see error-free applications, Jaquith added. "The reality is there's always going to be another bug."