Forum Moderators: open
Please note, there is no fix for this vulnerability from MS as of yet. Secunia advises to Disable Active Scripting support.
Description:
Hai Nam Luke has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks.The vulnerability is caused due to a race condition in the loading of web content and Macromedia Flash Format files (".swf") in browser windows. This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.
Secunia has constructed a test, which can be used to check if your browser is affected by this issue:
[secunia.com...]
The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (March edition). Other versions may also be affected.
Try some alternate browser like FireFox
But if you do, make sure you patch that too [webmasterworld.com]. :)
Whilst IE vulnerabilities are much more frequent, the latest Firefox bug is much more serious than this particular IE one.
I do think that vulnerabilities are here to stay and appreciate WebmasterWorld especially for the members wise to this fact. I've long since moved-on from considering a secure OS. The complexity of what we want, makes that an impossibility. If we have the minds capable of securing a network decide what is possible and what's not, we would be secure but less useful. Be the judge, it's a crap shoot to me.
Mine says .google.ca - is this the same thing as .google.com, in this instance?
Yes. If you were not open to this vulnerability, you would end up at the Secunia website.
[secunia.com...]
Tie it in with the hack that changes your browser's home page... imagine your homepage got taken over and yet it still rendered as google.com / yahoo.com / msn.com... How many Gmail / Yahoo Mail /Hotmail users would innocently input their user/pass to those spoofed pages? Google is my homepage, and I can tell you right now that I wouldn't have the slightest idea that I was getting conned if they designed the pages right. (And it's oh-so-tough to recreate Google pages, isn't it?)
Question: Are secure websites are protected from this vulnerability?
You know what would be a scary application of this?...
Actually that's already possible by just modifying the hosts-file.
Actually that's already possible by just modifying the hosts-file.
Very true, and it would work with any browser the user had installed, not just IE. Address bar spoofing it a very similar concept, thankfully IE7 addresses this issue to an extent by letting you know in no uncertain terms that the certificate does not match the domain. By letting you know I mean red address bar and full page error message before it will let you proceed.
Mack.
Mack.
However, the alert is mainly hype for Secunia. The link in the top of the WebmasterWorld homepage only enhances such hype.
I think is time for WebmasterWorld to provide better and more relevant content in its homepage.
What have you been seeing?
Well, yesterday I had some major issues with the temp cache (IE) being flooded. Also, something happened with my Norton Spam within Outlook although that may be unrelated.
Since then, I've done full system scans for viruses, etc. All is well.
After dumping the temp cache and reviewing all my running processes (just to be sure), things appear to be back to normal. I don't want to run the test again until I know for sure if others experienced any issues.
The Secunia alert seems valid for people with bad habits while browsing. People browsing porn should be worried about the vulnerability.
Huh? Are you saying that this is linkbait for Secunia? And that the vulnerability only affects those browsing p*rn sites?
