IE 7 Suffers From Second Bug
Danish vulnerability tracker Secunia alerted users that a spoofing attack -- where a bogus site seems to have a legitimate URL -- can be conducted against IE 7. The Copenhagen-based company has posted a test it says demonstrates the vulnerability.
"This is the kind of spoofing vulnerabilities which IE7 was supposed to be better at protecting against than its predecessor," said Thomas Kristensen, Secunia's chief technology officer, in an e-mail to TechWeb. "While the issue isn't clear cut since the vigilant user might be able to spot that something isn't quite right, [others may be] easily fooled by this trick, despite the built-in anti-phishing mechanism being enabled [in IE 7]," he added.
Secunia rated the spoofing flaw as "Less critical," the second-lowest ranking in its five-step warning.
Last week, only hours after Microsoft unveiled the final version of IE 7, Secunia posted a warning of a cross-domain bug in the browser; later, Microsoft disputed the report by claiming that the vulnerable component was not within IE 7, but contained in Outlook Express, the free e-mail client shipped with Windows XP.
Secunia's demonstration test also showed that the version of IE 7 included with Windows Vista Release Candidate 2 (RC2) is also vulnerable to the spoofing flaw.