Visualizza versione completa : Internet Explorer Address Bar Spoofing Vulnerability

17-08-2004, 12.30.34
Liu Die Yu has discovered a vulnerability in Internet Explorer, which potentially can be exploited by malicious people to conduct phishing attacks against a user.

The vulnerability is caused due to Internet Explorer failing to update the address bar after a sequence of actions has been performed on a named window. This can be exploited to display content from a malicious site while displaying the URL of a trusted site in the address bar.

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6 running on Microsoft Windows 2000 SP4 / Microsoft Windows XP SP1.

Previous versions of Internet Explorer may also be affected.

Secunia has developed a demonstration of the vulnerability, which may be found here:

NOTE: Currently known attack vectors do not work on Windows XP systems with SP2 applied.