Internet Explorer Spoofing Vulnerability Found

Users could be lulled into providing sensitive information through a Internet Explorer browser vulnerability that allows fake URLs to obscure the real domain.

A new vulnerability discovered this week in Internet Explorer could allow for the spoofing of URLs in the Web browsing, potentially putting users sensitive information at risk.

Security researchers confirmed a vulnerability in Internet Explorer 6 that could let an attacker display a fake URL in the browsers address bar in an attempt to disguise the real domain, according to a security bulletin released on Tuesday by Danish security company Secunia Ltd.

Using the security hole, an attacker could trick users into providing sensitive information or download malicious software by leading them to think that they are visiting a trusted site, the advisory said.

Secunia rated the vulnerability as "moderately critical." A Microsoft spokesperson on Wednesday said that the company knows of no exploits of the reported hole or of any users being affected but said in a statement that it is "aggressively investigating the public reports."

Microsoft may provide a fix through its monthly patch release cycle or a separate patch, depending on the outcome of the investigation, the spokesperson said. Earlier this week, however, Microsoft said that it would not release any security bulletins for the month of December.


See what eWEEK columnist Brian Livingston has to say about Microsofts patch release schedule.

Secunia, in its advisory, said that IE allows spoofing because of an input validation error. To fix the gap, the advisory suggests that users turn on URL filtering capabilities in a proxy server or firewall to block malicious characters and character sequences and to avoid clicking Web links unless they are from a trusted source.