Security threats Toolkit

Microsoft IE bug leaves users vulnerable to phishing

Published: 14 Jun 2004 13:05 BST

The US Computer Emergency Readiness Team (US-CERT), the net security watchdog, released a security alert on Friday warning of a flaw in Microsoft's Internet Explorer which allows attackers to run programs on a user's computer.

The flaw is in IE's cross-domain security model, which keeps frame content from different sources separate. This means that attackers could run programs and view files using the privileges of the user running IE.

Graham Cluley, senior technology consultant at Sophos, said on Monday that there are no reports so far of viruses or hackers exploiting this vulnerability; however, home users and businesses should be careful while "Microsoft feverishly puts the fix together".

"The flaw is not banking-specific," Cluley said, however, phishers could exploit the flaw to run a key logger, capturing Internet-banking passwords typed on the computer's keyboard. Key loggers can be installed on the computer by worms or Trojans, Cluley warned.

This is more difficult to avoid than the standard phishing attack that involves users entering their details into a fraudulent Web site, having been directed there by a spoofed email.

US-CERT advises that users disable Active scripting and ActiveX controls, maintain antivirus software and do not click on unsolicited links.

A spokesperson for Microsoft on Monday said that the company is currently investigating this bug and will put out a patch as soon as possible. Meanwhile they have updated their advice on how users can "Help ward off hackers and attackers".