IE7 bug undoes new security feature

October 26, 2006

So one of the big ‘improvements’ in IE7 that has been shouted about by Microsoft and others as a great leap forwards is proving to not be quite so great. The phishing filter was designed to recognise websites that are masquerading as something they’re not or trying to access your personal details.

First reports I had back from an acquaintance in the travel industry were that with the phishing filter on confirming a booking on their website was taking ages as the phishing filter tried to verify what was going on. This is actually down to the coding on their website, a small tweak has fixed the problem, but still annoying that a new browser should cause this sort of issues in a very normal, perfectly valid way of implementing a checkout process.

And this morning there are reports tha a spoofing bug has been found which could help crooks mask phishing scams, the exact type of attack that Microsoft designed IE7 to thwart. The bug allows a web site to display a pop-up that can contains a spoofed URL. An attacker could exploit this weakness to fool people into believing they are on a site they trust when in reality they are viewing a page created by hackers for phishing. The alert to this bug came from Secunia. They said, “This makes it possible to only display a part of the address bar, which may trick users into performing certain unintended actions”. They’ve created a demonstration showing a Microsoft URL in a pop up window, but displaying content from Secunia.

I suppose this will always happen with new software releases, they can’t expect to find every bug and new attack vectors are opened all the time. However it’s not good PR for a new browser, especially when it’s being touted as so secure and going to get pushed by Automatic Updates as a security fix!

Advertisements

One Response to “IE7 bug undoes new security feature”

  1. Anonymous Says:

    feature online search

    Here’s some useful info on feature online search
    which you might be looking for. The url is: http://www.jaldisearch.com/


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: