Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Microsoft Confirms IE Phishing Flaw



 By: Ryan Naraine
2005-02-23
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
The bug, which opens the door to URL spoofing attacks, was found on a fully patched system running IE 6.0 and Windows XP Service Pack 2.

Software engineers at Microsoft Corp.s security research team have confirmed the existence of a bug in the Internet Explorer browser that opens the door to URL spoofing attacks.

The flaw, which has been widely reported on public mailing lists, can be exploited by a malicious attacker to spoof the URL of a pop-up advertisement and has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP Service Pack 2.

According to a Microsoft spokesperson, Windows XP SP2 requires the URL of pop-up ads to display in the title bar when a pop-up has been opened without the address bar. "Our early analysis indicates that only pop-up ads that contain extremely long URLs can be spoofed in this scenario," the spokesperson told eWEEK.com

Resource Library:

"There is no attack that utilizes this, and Microsoft is not aware of any customers currently being affected by this situation," she added.

An advisory from security research outfit Secunia said the bug can be exploited to trick a user into entering sensitive information in a pop-up placed over a trusted site.

Microsoft says IE 7 will include technologies to help prevent URL spoofing in phishing attacks. Click here to read more.

There is no patch available yet to correct this issue. Secunia recommends that IE users avoid sensitive information in pop-ups after following links from untrusted sources.

Microsoft also urged customers to follow best practices to prevent identity theft from spoofing and phishing attacks. On its Web site, Microsoft has posted guidance to help customers track and report phishing attacks.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Microsoft Confirms IE Phishing Flaw
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}r8vDZӮK-iXTn((ئHIyž>fृ|T{-W-`L$w~vv> IM˙sל۔\sPç v$5wvC2i*_ d&@ jہ)}mk4 uB;;#|6S%}w *s=NN5KԚLÆ`&$Ʈl dkdp,FcwO5d{=B ~5[6m(GJŻ?KE!wO׶Cշ8>vP ߩUaÙO,}!*{> e%k4݋ʏIGO(?ȀYFz.Qu^Vٮq4]b'*cO^3jc㥨 aP`\9t} G&lw&"ScO$ӡNfI%p'0Q#@ڮSVHf̲;o tG ob}uק&[! bS 3MuN_FBS Ig%KaW+)Kk0~b[4Ip\.* }= :ҍ}4 .j.9a&ԃ)}(p}=\'BL}:n/EӝÌfؖqSth(͡V*Z]QKru_):?Wwcwm9{ 2+ѹRU5MQ ? n8uh;ZCJy]J> y Es3^_D_j0QEVKY/ ZHo4C+D_x0Nusn6 @kiFkPYTak6R\ 9jb)6B̄H )'wRߧ,-|y"brݠHPs>Χ+foF"> 23yB(&pHqb&μbO૖yx1jY[6'jtamI՘iS_ӲKwI|IwN؁)WIC EhYf7-vIqM}sQU1W*P\?,Ëʾb(7ZdL,5,{Ltp6 0hv?3Ϩig89yt$AG61^zK ucj>; äwX8}ZcO6/|\a֌^탉i$>6(Z\?` VCf@B떂9;׿ޚA"Qފ]ӑ4a qj =*~s=w}   @l߽5#~[-[Y6x O͹A (~~9-WRC/0t[t}JIIL"D% R h4AGEBENmbo$HXVphT6ݞH:s'PT+esRأXB YX/E_R23#CdɬaX91{MfT`"[ᛥLKak`FX,CMۯ!M{:eXy@ }= 3ܲM҂%Ll;!i`3Ґ(e`9ޟFa]t0x>fXfZ1kpJa"@dufB7g ƩeLI|B3} H8M;luV<ۢf|a* ,qrׁfX8ȣ=p TfҬ||=厬m[_4@W*|zS.z:ԍ$r%5kb$T`CL !1Ad/a:(uC|pöVOUKg+B-zESZ2ej [`B]PeܠQ@7%XsPQ[ |tkuPCߵs|#S=dsquwH~qP9s?磔YTp$4hS*}a5)403yb|Fȸ>qm?XĞ?x8[0,Y\Ζ']5!@0mE"A`iNR} ز^z`׽iAʫe&-JjE)jB4'i/#Y /m0ܱk]>aD6#BQZ>-B-g \ipbZDZLhKgAqA0*L\y.rV~ 2­qŝa&1 DR)Ö13wdi'GםT'/咢TSҐah"pHEAxZkhpL@U.)L-9Hz  [ hg [Qzn3Cz+o `RI:,Cd>5>OM{c>4Ye fyP2~2j&8x_ℯ? q+zSAqf -2/|QқL}6݂ /\r?09X>>: '212& z@j9ajv6̌k}]P~n`7,mCc$ D!S#2!z p[kh0hmf;;pLjg %Jk欩x+sJbOW2EZiz|ylƵYT{E3p{ݹY$'8 MGFi$]k|[P vfȵ w6N1L Ma}VD ϓ1W5 d,fqNg0cp&vN{%ס9,3?t\:kt?y{z&wtfX uLzϡRB71PUL xg4sgDcC6VNM&Wm"z'"#VS"K8ߋIUfS΁MOT%0=@" c].g}]٘yֱ4>ʐixG2gdY JhUm{\ cg2|>_&I|SeYȣV)+Y+T\U񋰷8C+`-XRj#L*"'o&ŏ[o(urN3HG~T>Uʠˏ}b*kZQR^?*K9 ^uL lZKq~XC kp= 2j=uR/̖ M%4e%3E/쎸-9DXPV9ɷwnj‰<8 +A񷠐n)ɑXXD>ġifR{e">QTk㘘= [( L $q)YUihj/nL1ƙ0:kŠrZ (JQ?vm@:iwϾ =~?Н :wo&Cr~<izŻRxYԽhwq@*5|}hK?pȁ>KMw$(XM,I^i{{j+6zv9D2SH#r zycB|wֻ'Y#{.[jܨZgݏ, YE#BuZWȧ5Ak3d4) 3uX#axK#&WDH[(`UsřB9ki.Dz=t_5g0YT p-)cgcs}eYLoH:|X!bPH\R ~tDۿR!G[yQb}b%h4eW:Bzc?<-)tx! fҮӢ_,wгO5nf}GQ-gFq?Imظ2UT(sX6 w{B s?ݡCO6v4D]{gE Zzwng},da}?H+Fyc(\ZSi٘&BERTUjlko$rYpJE_V ;d,E',n9P2QvAK Js`̾qCwbJP|]& {~W]ߣPIݣ)~=mҊ(r]ZD܎q5U {II5)tu<-J`RToy^f} m$.Ekg[#D:*t'y||nƄ?maTz]Pe(Go{ p@. ˇ'#8S<.Ч,1ot)t ;|i"HyVѓerE!,Ue6TV)Tjd_hั1'($_c5Ax@`J ]1P' z؅ w/kS\)ןG;3(gHS4][N z Pq2BRzZ:ʆs  z& #~aqOwৗ4)E cRtV-ed=ISX50Zaa#(ו0d Y|8nM`,%V`G0WuڕA$Ojy«D b$:3jbԽr yׄH瘗JZ9wo8MymY겎H%q Cx;J~أZjcsFfI`a7JwSSZZlN+v!oWH‹JCymbTXPN&fp$<2^ ֜9J3ge39["S H[uhq89YYv/sdwk<6zrax>d dݦ~8w3I.*+%.`VIV/26#񰲸ܢIo"~l$=ڌh,:F[BǗǪ^Ӡ64j-ɓɌ+O1nì-OaHK{SnGue#5h$r6Ͳ$_[ՠ#ײ}"uυvU6eK뒫L)ξԦnفeXUc HBF7Ϡ2=rsZ۔*O!g9#/ 3^PD yHq ZZm_XXuyk7Mф&Ѝ4g8kk,S|⋯9)W_l),8:WT<ôs '֡a PH 'ڛ7G?emms[qNURX{q{D:rA0\7É{,Ƌxx4=0HD@JbH7I9ODnɀ1 973sq1.aqE7o7o7o7oxKZYQmNT;+]t uMKU_0^Q Q|9 I}eVՈ4W?p|^Xl|Ik^Wi_r2pͬ]MAksamn+~+4m nnPiCF(JA:ݶ^gtg̛Q5rqDžH %DA⍉6Ghonsr9ٽ$<Ԧv=TOQmXgCdR vK[6s7˭xL0#x߀[Lm0zt<+$ʛέ̌:y: @J1nýH 6<[v';[XIG.# Ȕ[$UU*5W%vep7 edxpџH升l!nնYK6SO7g>|4rsJ\eߥ}eT:ؽ\_Q 5F5 #NP"׏Q" m}nZW-pu:Yal~kӫJx;.zѐ=wXko- xfˤ'?2=rREM30=mO-po0@iΕ[xx5wZ0,^3u][2)PAN {r闶Q0|ȧ%٤& d^ m/ I*,b'rĥX,hILÑ@u}œ3TQJɡGzy][u4-~7᭙eS9cGfi=osT⯠œVfVPs7 %>)fF<@&Ljj=!vcc`..қ≡37:US` Ñ;7S7ƔE[TxSvXfW 1{x}BI(# @`m4,\ $4BπTa>A4`]*3hZ%|z3|TϡVR*jZ?V;ϯ!_הV/!σ#x@4r3|nM6OB .kXl; #W*ZTf0@ZRa )d Hw@֌l0Y>GV$؛ ~v`O0qgx0|rP[˜ozp׳&KP`J|̷"D$3~0K{EMF^[COxrNOOth'&v* &V*t|"m1Iέz_ayZܾ\`{A䬼2Yqc[QZJYb0 ":;Kkf@NuGw,}s[ 0=:Iߣ4 ?R)%o$:* |9`VO0lY̪ɘTbtbl71Ք7ZvN[{Ŏd&׈1c qLW<00t#PγjNT\OpY|XC3 L_~­R^+S[YS!_E_t[6˺fZ %GtMt57+ St#?+){ڞUޓϞbi4<8l@ "6 ?Ki:N~VP߁G׀gU""a=X *>ndeH H]YUc `xH$!fM~huE :W} d#?s2 Hv%?Ņ@GoE%wjL!'vq]Q s*]QĘuU?#7,>1>B$!i?/W}e_a!9'ph\pr@KK+2&Bs879࿾_LIN % a k(E$[T\څۈ) 0װÞ1;my^ܛ'm/u 2#{K&(?,p֏D {GLƙ;fSZ,Ws ԃOV@R*tQ:..( oIYPXP؟S?pk'o触H0^omn#LU"(3[]ă0T]w730lMqW'Ag#<|4BLkQ.閣FMQpV#ߛ~Sg8XMں9P0C(-ŌCZS*ѓȤ+t!dW`ǪZIWv'0x1nV?w.4W PRx 4 V cvFCd2=`f:,BuyyH\u:|սt{sֻ3Q֊E_gn՝^qIsyս'hL晾,Ǜ,# rr:0;eNq(gM B*rKxu, /%qx&Ó(?E_VCĸҫSe0LLNS+t_?gg:^Z9v!6^7ixsS:X)` FIg r!>w:һIJ/΀r_r_sʯj}q 8Sރ^N9r`}yhCI}>B?'([hvחwۅfS3݋r7 _9_3s<s{Csy}ρ?ss ro(O_r3+>9~P~W{ÿuN9$)gV.qv*esS^)4rR}~ )P'9PϪ ~22R@~W~_} kN+ťfW*7yKxM}%kg[Z1iu}חG{1*,xW&4  )htVydSrbye?VRRw;]Cڤ\j.{]r-Xѧ^5_9x=* u=}|,y|8SNtw1W }^1B8 gvt{z&%݆.n 5rxL|uӚ޴\*v<2kݫ++#BAfп~%kS$N^eM+5VkZpWrDa3=""CmP*R'Ӏe`_)&K<# .=M^et fMȡ!pAfJC#Dk(x>Xxc6Dy_ƴmBfh0l|y Nd@7 ,5w;Ũ@^k΃s]|LAÆ/^Ėٵv"n<2w)z6_e~byԶY"D˼xl4@[4Dr(9Pų l1@ҙ zsKgDr&ߢ)tφ} T/AD[e"fx¡D:~ sn7:aKƘS D-%w|uI.^.˃a-C7x`b̜#M^`yC0HsA;׿$0y.6'dŤe @ s -e=xn'qgO;פr%ಓJ_b'cEy&fb P|_|f9{[!fI!39L]&lʗ>[l,)1 {;Kh64s ` C{)B9o;O咤 X3W]dA_d|bOh>Zo.TùLHd v"ё{?pRFs_-8 bsފjd!׶zK2jSo:h}vseX0D00Y~l+>AՋpaHzBX9wtZзkdY9Hz&zU x$.7=j"1: gC“J'z{[oݭ\D)R%:/fk[enB`+/2^;'gH2Gd!᳤c9*3>S2m-(Er};{,}d/+2bХvHyU_@"&PɕX)umȧ|oW|F,kl`B`t)p*sC@_ܹeUhJl[9Ud2- kc'pg!-X0 n=ձ]w O`7@#>&rd{Ko^PeSsB%:Ɛ9-S)0p,\ftGGm2`͍G:Ζ$_)0uCr:vY 96+-  `ꎈM6i֘DR*,Dl'f , ~sf㿶;(@P W91"uz ?[<-v;# +_2sE>v/-GJ[3RpCV)tO䋰OMu͌;_X (K# LɮJ}9N]RjãÍGXǸ [) Iy>p <Щ0T\bX%e܌uFEmhT4X %*l+S7 )/߶S7qݼ¶"yX]A\'X3'5ȱ ya1 g{y{~k#'>gwx>YʐLW\ȏ,,L[Z']ZD!hXrE"O q~ mǻQY1+ (NRQf7`N*)Asa#Dl [ApV7.]28Lg3E~2㡺_0U9um$νk x ؚտHR#I!AC9Xqk @{kv7CM\ar8Lt4Q3|JKm)轇ȝoz^j}XZ#`*F"!2T!6xN`Eqwş7uǫާUQ(ZNɂ`R)XVݽ uM+_1dFx-<#Dg˳̆UZ*$8n~뉘h6JM? ۔̑9MR"Zi/!zR<>gr09d֎V&|&Z2cˤ_ l?#JQ)