Software engineers at Microsoft Corp.s security research team have confirmed the existence of a bug in the Internet Explorer browser that opens the door to URL spoofing attacks.
The flaw, which has been widely reported on public mailing lists, can be exploited by a malicious attacker to spoof the URL of a pop-up advertisement and has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP Service Pack 2.
According to a Microsoft spokesperson, Windows XP SP2 requires the URL of pop-up ads to display in the title bar when a pop-up has been opened without the address bar. “Our early analysis indicates that only pop-up ads that contain extremely long URLs can be spoofed in this scenario,” the spokesperson told eWEEK.com
“There is no attack that utilizes this, and Microsoft is not aware of any customers currently being affected by this situation,” she added.
An advisory from security research outfit Secunia said the bug can be exploited to trick a user into entering sensitive information in a pop-up placed over a trusted site.
There is no patch available yet to correct this issue. Secunia recommends that IE users avoid sensitive information in pop-ups after following links from untrusted sources.
Microsoft also urged customers to follow best practices to prevent identity theft from spoofing and phishing attacks. On its Web site, Microsoft has posted guidance to help customers track and report phishing attacks.