IE bug provides phishing tool

A flaw in Internet Explorer makes it easy for scammers to create dummy sites that look like legitimate ones, and try to steal information from Web users
Written by Patrick Gray, Contributor

A newly discovered bug in Microsoft's Internet Explorer Web browser may help fraudsters trick Internet users into divulging sensitive information and executing malicious code, according to a security researcher.

The new glitch allows a specially crafted URL, or link, to load a browser window that appears to be displaying any address the attacker wants -- this would enable a fraudster to load a window that would appear to be displaying www.zdnet.com.au, for example, but would in fact display content from another source. The problem will make it easier for scammers to trick Internet users into divulging personal details through "phishing scams", where emails purporting to come from the victim's Internet banking provider or another such site encourage them to re-enter details such as usernames and passwords, according to security research engineer Drew Copley.

"You could pretend to be anybody. You could have someone run executable content," he said by phone from the US. "This is not the end of the world [but] it adds to Microsoft's woes."

IE bugs are somewhat of a specialty for Copley, of US-based eEye Digital Security. He has uncovered numerous security issues in the near-ubiquitous Web browser. While the bug may not allow an attacker to compromise a system through a traditional "remote compromise" style of attack, it's the glitch's potential to undermine the users ability to determine what they should trust that represents the largest concern in this instance, he said.

"If [the address is] appearing legitimate like that, you can get people to download anything, run anything, or get a password or whatever," he explained.

However, other, more serious vulnerabilities are more likely to be on the top of Microsoft's hit-list, Copley said; several vulnerabilities were recently discovered by a Chinese security group, with three of them allowing an attacker to remotely compromise a system.

While it's possible for users to mitigate those vulnerabilities by disabling the browser's "active scripting", which allows the browser to run scripts and ActiveX code, turning off the feature will limit the browsers functionality, Copley said.

"You can, of course, turn off active scripting ... it's going to protect you, but it's going to make it hard to browse around," he argued.

The latest glitch was discovered by 18-year-old graphic designer Sam Greenhalgh.

Editorial standards