U radu programskog paketa Internet Explorer, popularnog web preglednika, uočena je nova sigurnosna ranjivost. Sigurnosni nedostatak se javlja zbog pogreške u prikazu domenskih naziva u adresnoj traci kod skočnih (eng. pop-up) prozora. Zlonamjerni, udaljeni korisnici takav nedostatak mogu iskoristiti za promjenu podataka unutar adresne trake. Za više detalja o ranjivosti svim korisnicima se savjetuje čitanje teksta originalne preporuke. Zasad nisu dostupne zakrpe koje otklanjaju spomenutu nepravilnost.

Microsoft Internet Explorer Popup Window Address Bar Spoofing

VUPEN ID 	VUPEN/ADV-2011-0593
CVE ID 	GENERIC-MAP-NOMATCH
 
CWE ID 	Available in VUPEN VNS Customer Area
CVSS V2 	Available in VUPEN VNS Customer Area
Rated as 	Low Risk 
Impact 	Available in VUPEN VNS Customer Area
Authentication Level 	Available in VUPEN VNS Customer Area
Access Vector 	Available in VUPEN VNS Customer Area
Release Date 	2011-03-07
Share 	Twitter LinkedIn Facebook Delicious Digg Slashdot

Technical Description

A security issue has been identified in Microsoft Internet Explorer, which could allow malicious web sites to conduct phishing attacks. This weakness is caused by an error when displaying domain names in the address bar of a popup window, which could be exploited by attackers to spoof and masquerade the URL displayed in the address bar and fool users into thinking that they are connected to a trusted site while opening a malicious popup window.

VUPEN has confirmed the issue with Microsoft Internet Explorer 8 on Windows Vista SP2.

Affected Products

Microsoft Internet Explorer 9
Microsoft Internet Explorer 8
Microsoft Internet Explorer 7

Solution 

VUPEN Security is not aware of any vendor-supplied patch.

References

http://www.vupen.com/english/advisories/2011/0593
http://seclists.org/fulldisclosure/2011/Mar/73

Credits 

Vulnerability reported by cyber flash.

Changelog 

2011-03-07 : Initial release