Microsoft Confirms IE Phishing Flaw

The bug, which opens the door to URL spoofing attacks, was found on a fully patched system running IE 6.0 and Windows XP Service Pack 2.

Software engineers at Microsoft Corp.s security research team have confirmed the existence of a bug in the Internet Explorer browser that opens the door to URL spoofing attacks.

The flaw, which has been widely reported on public mailing lists, can be exploited by a malicious attacker to spoof the URL of a pop-up advertisement and has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP Service Pack 2.

According to a Microsoft spokesperson, Windows XP SP2 requires the URL of pop-up ads to display in the title bar when a pop-up has been opened without the address bar. "Our early analysis indicates that only pop-up ads that contain extremely long URLs can be spoofed in this scenario," the spokesperson told

"There is no attack that utilizes this, and Microsoft is not aware of any customers currently being affected by this situation," she added.

An advisory from security research outfit Secunia said the bug can be exploited to trick a user into entering sensitive information in a pop-up placed over a trusted site.

/zimages/5/28571.gifMicrosoft says IE 7 will include technologies to help prevent URL spoofing in phishing attacks. Click here to read more.

There is no patch available yet to correct this issue. Secunia recommends that IE users avoid sensitive information in pop-ups after following links from untrusted sources.

Microsoft also urged customers to follow best practices to prevent identity theft from spoofing and phishing attacks. On its Web site, Microsoft has posted guidance to help customers track and report phishing attacks.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.