Advertisement
Promo

Security threats Toolkit

Warning on IE 7 pop-up problem

Dawn Kawamoto CNET News

Published: 31 Oct 2006 11:56 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Security researchers on Monday warned of a problem in Internet Explorer 7 that could allow malicious attackers to alter content in a legitimate website's pop-up window.

The browser issue could affect users who visit a trusted site by opening a pop-up window in that site that contains malicious code. This is the second IE 7 problem that has been discovered since Microsoft released the browser two weeks ago. Last week, a security flaw was discovered in IE 7 that could spoof the address of a pop-up window.

Watch this

The 2006 CNET Awards
Video Story Video Control Panel

The two IE 7 security holes, if used in conjunction with each other, can easily dupe all but the most security-minded users, said Thomas Kristensen, chief technology officer of security company Secunia, which discovered the problems.

Secunia has classed the latest problem a security vulnerability, while Microsoft states the situation arises from "by-design behaviour" in the browsers.

"The (Secunia) report describes a by-design behaviour in popular web browsers that allows a website to open or re-use a pop-up window," a Microsoft reprensentative said. "In Internet Explorer 7, the web page's actual URL is displayed in a pop-up window address bar, enabling users to accurately make a trust decision."

Microsoft said that people who follow its safe browsing guidelines and verify an HTTPS connection before entering sensitive personal information can increase their ability to guard against an exploit.

Secunia rated the most recent flaw as "moderately critical" because viewing the content does not provide attackers access to a user's computer. But it can still prove harmful if a user enters sensitive information into the malicious pop-up window, such as credit card information, usernames or passwords, Kristensen noted.

The vulnerability is also rated moderately critical because it requires user interaction and affects only particular trusted websites.

Secunia noted that the security flaw can affect a fully patched system running IE 7 and Microsoft Windows XP Service Pack 2.

The security company advises users to avoid browsing untrusted sites while browsing sites that they trust.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
376 out of 522 people found this useful


In association with Network Liberation Movement

Talkback

Post a comment


Full Talkback thread

4 comments

  1. Stuttering Start for IE7 David
  2. Mac User Gareth.Kennett
  3. MAC users don't be too smug 46880
  4. Happy MAC User Gareth.Kennett

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:







Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

DNA details of innocent will be kept f...

The government has announced that it plans to keep innocent people's DNA details for up to six years. In response to a consultation it launched last December, the government said... More

5 comments

Motorola Droid Drops Today: Happy Droi...

Motorola Droid Drops Today: Happy Droid Day America! Author: Eric Everson, Mobile Security Expert If you’re wondering what all of the buzz is about with words like Droid and Android... More

Post a comment

Mobile Security Profile: BlackBerry St...

Mobile Security Profile: BlackBerry Storm2 Author: Eric Everson BlackBerry handsets are a staple of office culture; from syncing calendars to sharing business-related data,... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters