Phishing hole discovered in IE

The software giant said Friday that it is looking into reports from security company Secunia and others that a vulnerability in IE6 enables scammers to launch a phishing attack against PCs loaded with the latest security updated version of Windows, Service Pack 2, and older versions of the operating system. Phishing attacks typically use such fake sites, which look like legitimate sites of companies such as banks, to try to con people into handing over personal information such as credit card numbers.

The Web browser flaw allows fraudsters to create a hard-to-spot spoofed Web site, according to an advisory from Secunia, even to the point of including a fake SSL signature padlock certificate. Phishers can also hijack cookies from any Web site, the company said.

"The problem is that users can't trust what they see in their browsers,” Thomas Kristensen, chief technology officer at Secunia, said. “This can be used to trick users to perform actions on what they believe is a trusted Web site, but actually these actions are recorded and controlled by a malicious site.”

Despite the potential to create havoc for IE users, Secunia has rated the vulnerability as only "moderately critical," because it cannot be used to access computer networks.

For Microsoft, this vulnerability marks the latest setback in shoring up the security of its products. When the company launched SP2 in August, Chairman Bill Gates touted it as a significant step in shoring up systems against attacks.

A Microsoft representative said the company was “aggressively” looking into the flaw, but stressed that it had not had reports of any attacks attempting to use the vulnerability. For now, Microsoft is encouraging customers follow its “Protect your PC” guidelines for protecting their PCs by installing a firewall, getting software updates and loading antivirus software.

“Upon completion of the investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs," the representative said.

Adding to an ongoing debate over flaw notifications, the representative said Microsoft was concerned that the new report of the IE vulnerability was not disclosed to the software giant before it was made public.

"We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed," the representative said.

In its advisory, Secunia said an error in the Internet Explorer 6’s DHTML Edit ActiveX control causes the vulnerability when handling "execScript" functions in certain situations. This flaw can be exploited to execute arbitrary script code in the browser, it said. This would allow phishers to send out an e-mail with a link to a bogus Web site. The URL of the malicious Web site would briefly show, before sending the user off to the spoofed site.

"The problem is that certain input that is supplied to the ActiveX control isn't properly validated before it is returned to the browser," Kristensen said. "This can be exploited to place code that controls what is being displayed in the browser window, while the browser believes it is actually visiting a trusted Web site."

Secunia has posted an example of how the vulnerability works. It is advising users to disable ActiveX support, until a patch is available.

Dan Ilett of ZDNet UK contributed to this report.