[ISN] Another security hole found in IE

[InfoSec News]

http://news.com.com/Another+security+hole+found+in+IE/2100-1002_3-6058557.html

By Joris Evers 
Staff Writer, CNET News.com
April 6, 2006

An unpatched vulnerability in Internet Explorer could aid fraudsters
in pulling off phishing scams, experts have warned.

The error could be exploited to fake the address bar in a browser
window, security monitoring company Secunia said in an advisory
published on Tuesday. This tactic could be used in phishing scams that
attempt to trick people into believing they are on a legitimate site,
when in fact they are viewing a fraudulent Web page.

Phishing is a prevalent type of online scam that seeks to pilfer
personal information from unsuspecting Internet users. The scams
typically combine spam e-mail with fraudulent Web sites that appear to
come from a trusted source, such as a credit card company or a bank.

The flaw exists because of an error in the way the Microsoft Web
browser loads Web pages and Macromedia Flash animations, according to
Secunia. The company rates the issue "moderately critical" and has
created a special Web page where users can test their Web browser to
see if they are affected.

Secunia has confirmed that the vulnerability affects IE 6.0 on Windows
XP with all current security patches. It also affects the latest IE 7
Beta release, Secunia said. Other versions may also be affected, it
said.

Microsoft is investigating the newly reported flaw, a representative
said in an e-mailed statement late Wednesday. "Our initial
investigation has revealed that customers who have set their Internet
security settings to high, or who have disabled active scripting, are
at reduced risk from attack as the attack vector requires scripting,"  
the representative said.