Sunday, October 29, 2006

Microsoft Investigates IE7 Breach Staff Reporter
Microsoft on Thursday said it would investigate a reported security vulnerability in its new web browser software, Internet Explorer 7, but downplayed the risk. Danish security company Secunia on Wednesday announced that they've discovered a security vulnerability in Microsoft's new browser, which could allow "spoofing" of a URL in the browser's address bar. "The problem is that it's possible to display a popup with a somewhat spoofed address bar where a number of special characters have been appended to the URL. This makes it possible to only display a part of the address bar, which may trick users into performing certain unintended actions," Secunia said in a release to users.
Microsoft, however, downplayed the seriousness of the vulnerability, while vowing to investigate, reports InformationWeek. "We're not aware of any attacks that are attempting to use this," said Microsoft's security program manager at its response centre, Christopher Budd. "But as always we will continue to monitor the situation throughout our investigation." He also suggested that users look at the complete URL by scrolling in the address bar before proceeding on a suspicious website.
Secunia, however, did not share Microsoft's appraisal of the situation: "These are the kind of spoofing vulnerabilities, which IE7 was supposed to be better at protecting against than its predecessor," Secunia's chief technology officer, Thomas Kristensen, told iTWire. "While the issue isn't clear cut since the vigilant user might be able to spot that something isn't quite right, then any user not wearing the paranoid glasses is easily fooled by this trick — despite the built-in anti-phishing mechanism being enabled."