A newly uncovered vulnerability in
Microsoft's
Internet Explorer could allow attackers to launch a phishing attack.
Security firm
Secunia said
that the flaw lies in the way Internet Explorer handles failed page loadings.
When a page fails to load or cannot be found, a default HTML file known as
'navcancl.htm' is normally displayed.
The page contains a message that the requested file could not be accessed
along with a button that reloads the page.
The attack is carried out when a user visits an attacker's site. The site
causes the 'navcancl' page to load and then manipulates the refresh button to
redirect the user to a phishing site.
"While some may argue that such an attack requires too many steps, if you
think about it, anyone who surfs the internet performs the same exact steps all
the time: surf, fail to access the page, refresh," said Secunia technical writer
Ina Ragragio.
The vulnerability is classified as 'less critical', the second of Secunia's
five security alert levels.
A Microsoft spokesperson told
vnunet.com
that the company is investigating the reports.
Microsoft and Secunia have not received any reports of attackers actively
targeting the vulnerability.
Do you agree?
Have your say on this article