Microsoft moves to fix web spoofing flaw

Microsoft has released a cumulative software update for Internet Explorer (IE) to fix three flaws which the company rates as 'critical', including one that allows website spoofing.

The software company said that any system with IE installed is at risk from the vulnerabilities, and recommends that the update be installed immediately.

"Any systems where IE is actively used [such as users' workstations] are at the most risk from these vulnerabilities," the company said in a statement.

"Systems where IE is not actively used [such as most server systems] are at a reduced risk."

The update fixes three new flaws. One could allow an attacker to run their own code on a user's system, and another could allow arbitrary code to be saved on a user's system.

The third could allow an attacker to misrepresent the location of a web page in the address bar of an Internet Explorer window.

This last flaw, described as an "improper URL canonicalization vulnerability", has recently come to prominence as hackers can use it to perpetrate so-called 'phishing' scams.

"This vulnerability could result in an incorrect URL being listed in the address bar that is not the actual web page that is displayed by IE," warned Microsoft.

"An attacker could use this vulnerability to create a malicious page that spoofs a legitimate site. For example, an attacker could create a web page that looks like a user's online email site.

"While this web page would be hosted on a malicious website, an attacker could use this vulnerability to display a legitimate-looking URL in the address bar.

"A user might see this URL and mistakenly give away sensitive information to the attacker's site."

More information on the security bulletins can be found here.