Welcome to Netrider ... Connecting Riders!

Interested in talking motorbikes with a terrific community of riders?
Signup (it's quick and free) to join the discussions and access the full suite of tools and information that Netrider has to offer.

Flaw found in new Microsoft browser Herald Sun article

Discussion in 'The Pub' at netrider.net.au started by vic, Oct 23, 2006.

  1. Flaw found in new Microsoft browser

    Asher Moses
    October 20, 2006 - 10:21AM

    An Internet Explorer 7 flaw, found just hours after the browser's launch, could result in sensitive data such as your internet banking details falling into the hands of criminals, says Danish security firm Secunia.

    "A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information," says an advisory published on the Secunia website.

    "The vulnerability is caused due to an error in the handling of redirections for URLs ... This can be exploited to access documents served from another web site," the advisory reads.

    The flaw enables attackers to steal user information that's being entered on a separate website, just as long as the user is visiting a site exploiting the flaw in another window.

    It is understood that one possible scenario entails attackers leading users to an infected website, hoping that they will at the same time login to an online bank account. Should this occur, the attacker would be able to hijack the user's username and password.

    But Thomas Kristensen, Secunia's chief technology officer, told CSOnline.com that "it is hard to exploit the flaw because it requires the attacker to lure someone to a malicious site, and for the attacker to know what other secure site the visitor might simultaneously have open".

    Last year Secunia found the same flaw in Internet Explorer 6, but it remains unpatched by Microsoft.

    Until the flaw is patched, Secunia says an alternative solution is to "disable active scripting support". Details on how to do this can be found on Microsoft's website here.

    Internet Explorer 7 was officially released by Microsoft yesterday, and is sent through to users as an automatic security update. Users have the option of whether or not to install it on their computer.

    Microsoft has not made any official comment on the discovery.