Yet another bug has been found in Microsoft’s recently-released Internet
Explorer 7 browser. The software giant is downplaying the flaw, which security experts say allows hackers to “spoof” Web addresses.
Reported by Danish security firm Secunia, the flaw hopes to trick IE7 users into clicking on seemingly legitimate Web destinations, a tactic known as “spoofing.” Rather than arriving at the expected address, IE7 users instead
find themselves the victim of phishing expeditions.
Microsoft, while responding it would investigate the report, downplayed
the seriousness of the problem. “We’re not
aware of any attacks that are attempting this, but as always we will
continue to monitor the situation throughout our investigation,” Christopher
Budd, security program manager of Microsoft’s Security Response Center
(MSRC)
blogged Thursday.
Budd wrote that while the URL of the spoofed address is displayed in IE7’s
address bar, only the right side is initially seen. Scrolling through the
URL will display the full address. Budd recommended users enable IE7’s
phishing filter. “The Microsoft Phishing Filter can help protect should any
phishing sites attempt to exploit this issue,” he wrote.
As internetnews.com reported last
week, the first security vulnerability of the new browser appeared just
hours after its release. That flaw, also posted by Secunia, targeted how
redirections of “mhtml:” URLs were handled. The hole posed the risk of
being exploited to cause IE7 users to access documents from another Web
site.
While Microsoft said the error was in part of Outlook Express, not IE7, the
software maker recommended users disable active scripting until it issued a
patch.
“You don’t need to pull the rip-cord,” Yankee Group analyst Andrew
Jaquith advised. Any new software release is going to be followed by a surge in
vulnerabilities, he said.
Despite the security concerns, IE7 is certainly an improvement over the
previous version of the popular Web browser. “IE6 was just band-aid after
band-aid” of patches.”
And although IE7 is more secure, we’ll never see error-free applications, Jaquith added.
“The reality is there’s always going to be another bug.”