An Israeli security researcher demonstrated on Wednesday an attack that uses a flaw in the way Microsoft's latest Web browser handles canceled pages that could help phishers fool their victims.

The attack uses the reliance of Internet Explorer 7 on a special local resource to display a message when a user cancels navigating to a requested Web page, said Aviv Raff, a security researcher and software developer based in Israel. A phisher could exploit the issue by using a script to create a specially-crafted version of the local navcancl.htm page to show content that appears to be from a trusted site. When a victim opens up a link provided by an attacker, the "Navigation Canceled" page will be displayed, and the victim will likely believe that some error prevented the site from working and thus refresh the page, Raff said.

"The attacker’s provided content--e.g. fake login page--will be displayed and the victim will think that he’s within the trusted site, because the address bar shows the trusted site’s URL," Raff stated on his blog.

The issue belongs to the most numerous class of vulnerabilities: cross-site scripting (XSS) (corrected). Such issues have become the No. 1 type of flaw found in software, according to data from the Common Vulnerability and Exposures (CVE) project. While many XSS flaws, at worst, make it more difficult for a user to discern phishing attacks, a number of such vulnerabilities can lead to serious security problems, as attested by a serious data-leak vulnerability in Google Desktop fixed earlier this year.

Raff contributed a similar class of vulnerability in QuickTime--known as a cross-zone scripting flaw --during the Month of Apple Bugs (MoAB) project in January.

Microsoft researchers are currently investigating the issue but have seen no evidence that the alleged flaw is currently being used maliciously, the software giant said in a statement sent to SecurityFocus. The company also spelled out its policy that flaws should be directly reported to the software maker.

"Microsoft continues to encourage responsible disclosure of vulnerabilities to minimize risk to computer users," the company stated. "Microsoft supports the commonly accepted practice of reporting vulnerabilities directly to a vendor, which serves everyone's best interests."

The issue affects Internet Explorer 7 running on both Windows XP and Windows Vista, according to researcher Raff.


http://www.securityfocus.com