Massive IE phishing exploit discovered

Massive IE phishing exploit discovered

Summary: Even SP2 versions of Microsoft's Internet Explorer are vulnerable to a spoofing exploit published yesterday

TOPICS: Security
A vulnerability researcher posted details of a dangerous Internet Explorer (IE) flaw on Thursday that allows phishers to spoof Web sites more realistically than ever before.

According to security company Secunia, Paul from Greyhats -- a research group -- has published details of a vulnerability that can be exploited to spoof the content of any Web site.

Using the exploit, scammers are able to manipulate all versions of IE, including Windows XP SP2 -- the latest and most secure version of the browser -- and spoof the URL and SSL signature padlock located at the bottom of the browser screen.

The vulnerability is caused by a cross-site scripting vulnerability in the DHTML Edit ActiveX control, but because the flaw is within the browser, it can be used against any Web site, Secunia said.

"That is huge," said Thomas Kristensen, chief technology officer for Secunia. "When you cross-site script a Web site, the user can’t see that anything unusual is happening. The URL looks like it's a legitimate site and if you go to the SSL padlock, it will show a certificate for the site even though it is controlled by malicious scripting."

"The malicious Web site can control what is seen in the address bar. People still don't realise the significant impact of cross-site scripting. This is the vulnerability that phishers and scammers have been looking for. You could also steal cookies from any Web site," Kristensen warned.

"The most likely outcome is a phishing email, where users click on a link, then open the browser. They then briefly see the URL of the malicious Web site, and then see the scam Web site," Kristensen added.

Nick McGrath, Microsoft's security spokesman, and the Microsoft UK security team was unavailable to comment at the time of writing because they are in the United States. The company has previously frowned upon researchers who have posted exploits without letting it know first.

Kristensen said he was unsure why Paul chose to publish the exploit before informing Microsoft. Secunia has developed an exploit test on its Web site which is available for download.

Secunia has labelled the vulnerability as "moderately critical" because people cannot use it to access systems.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Suprise, suprise. Another day. Another ActiveX vunerability. Another hole in IE.
  • Firefox here I come! To hell with work policies!
  • Surprise - this is always happening.
  • Why not inform Microsoft about an exploit first?

    Errr, because doing it Microsoft's way doesn't lead to the desired results perhaps? Because complying with Microsoft's PR damage control policies leaves a bad taste in the mouth? Because knowing that there's a big problem within a certain product that still isn't fixed 200+ days later while the vendor of that product is still putting massive amounts of money in lying to the world how secure they are is not something all professionals can carry with them day in, day out?
  • Get rid of your IE/Windows OS and never use IE to purchase anything online.

    Microsoft is a disaster for the entire internet.

    Look at your options now.

    Get away from the smoke and mirrors OS who partners with hackers and criminals worldwide.