PDA

Visualizza versione completa : Internet Explorer Address Bar Spoofing Vulnerability


Giorgius
17-08-2004, 12.30.34
Effetti:
Liu Die Yu has discovered a vulnerability in Internet Explorer, which potentially can be exploited by malicious people to conduct phishing attacks against a user.

The vulnerability is caused due to Internet Explorer failing to update the address bar after a sequence of actions has been performed on a named window. This can be exploited to display content from a malicious site while displaying the URL of a trusted site in the address bar.

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6 running on Microsoft Windows 2000 SP4 / Microsoft Windows XP SP1.

Previous versions of Internet Explorer may also be affected.

Secunia has developed a demonstration of the vulnerability, which may be found here:
http://secunia.com/internet_explorer_address_bar_spoofing_test_popup/

NOTE: Currently known attack vectors do not work on Windows XP systems with SP2 applied.

Info:
http://secunia.com/advisories/12304/