New Phishing Flaw in Internet Explorer

JimmyM writes "Secunia reports on a new vulnerability in Internet Explorer. From the piece: 'This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.' According to several (german) media outlets this is already being exploited by phishing sites. Secunia has a test you can try to see if you are vulnerable."

Test I can try?

[stunt_penguin]

1. Look up in top left hand corner of browser.
2. If icon is a blue 'e' then you're vulnerable.

That is all.

/ms troll

Re:Why??

[LunaticTippy]

I'll tell you why.

It's the default browser.

I make it a point to install firefox and remove all shortcuts to IE on any machine I have to fix, except for at work, where we have a couple of IE-only apps. (don't ask)

The average (I don't want to say idiot) user simply doesn't think or know about other browsers. We need to remember that the typical user doesn't live in "our" world.

Re:Why??

[ThinkFr33ly]

You're missing the biggest factor.

Most people just don't care what browsering they're using. They just want to check their e-mail and go to myspace. It's as simple as that.

Many of the don't even know what a "browser" is. They call it "The Internet".

That's why people don't switch to Firefox.

Ga!

[MightyMartian]

New Phishing Flaw in Internet Explorer

I'm shocked, I tell you, I'm shocked!

Re:Why??

[LunaticTippy]

I try to think of my mother as a typical user. She can just barely get around on a computer. I (and many of her friends and relatives) try to educate as best as we can, but it is slow. She still sends out chain letters, including the shergold one. She needed me to help her install flash to see a stupid website. I told her she could print out documents at kinko's and she showed up there with her files at home.

Things have improved over the years. There are many competent users now. But we can't get complacent. People bring their computers to work for me to fix. It's the same thing every time. These are typical users.

What?

[snib]

This doesn't work in Firefox. I hate it when people only design their pages for IE!!

Looks like I'm secure

[m50d]

I tried to open the test page in Konqueror and it crashed. I wish I was joking :(

Fundamental Browser Issue

[chill]

The concept is simple. See the button bar (tab bar on Firefox) up top? Now look down -- see the Status bar down below? In between there is the screen real estate that content should be allowed to touch. Under no circumstances should anything outside of that area be touchable by the browser or any task/thread/job spawned by the browser. Period. The URL bar, button bar, toolbar, and statusbar should be inviolate. Javascript (or ANY script) should be unable to display text in the status bar, thus making it impossible to lie about link location.

Extensions, which are installed explicitly thru a separate procedure, would be the only way to put something in the status bar.

Change the little lock symbol to take up more room in the status bar. Make it list the URL the certificate is issued to next to the lock. If that doesn't match the URL you're on, change the URL bar background to ORANGE (not yellow) and make the lock flash or something. Yes, I know, you clicked "accept this certificate" but it is still a hacked-up cert and needs some cursory attention.

* * *

For those twits that are going to whine "but I don't use the status bar" or "I've rearranged my button/menu/tool bar up top so it isn't that way" this is a trivial issue to work around. This was just a quick way to describe the working screen area for most people.