New Phishing Flaw in Internet Explorer

JimmyM writes "Secunia reports on a new vulnerability in Internet Explorer. From the piece: 'This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.' According to several (german) media outlets this is already being exploited by phishing sites. Secunia has a test you can try to see if you are vulnerable."

Bug fixed in IE7b2

[LocalH]

I just tested it in IE7b2 and got the correct results, showing the Secunia URL and not Google's.

Re:Bug fixed in IE7b2

[NeoThermic]

You can also fix this in IE6. Go to Tools -> Options, click the security tab, then click on 'Custom Level'

Scroll down until you find 'Navigate sub-frames across diffrent domains'; set it to prompt or disable.

The test fails if you set it to disable, and it will ask you if its allowed (to exploit you) if you set it to prompt.

NeoThermic

Corporate Policy

[Valdrax]

I have to use Explorer at work. A defect tracking system and a time tracking system at work both refuse connections from anything that doesn't identify itself as Explorer, and one of them (I can't remember which) doesn't work if you set up Firefox to pretend to be Explorer.

So, I use Avant -- a wrapper around Explorer that gives multiple tabs and can block ads & pop-ups. It seem invulnerable to this bug, incidentally. Supposedly Netscape 7 can use Explorer for certain websites and the Mozilla rendering engine for others, but I couldn't figure out how to get to work exactly how I wanted, so I punted. I've been pretty happy with Avant since then, but I prefer Firefox for home.