IE7 zero-day exploit opens new pond for phishing

Even tech-savvy fooled

Security experts are warning of a zero-day Internet Explorer 7 exploit that is set to wreak havoc on the Internet, even for users who consider themselves to be particularly tech-savvy.

The exploit can leverage the browsers' functionality and bypass its anti-phishing feature to redirect users to phishing sites.

It affects IE7 for Windows Vista and XP by targetting a cross-scripting vulnerability in the browser's navcancl.htm local resource.

Users follow a seemingly legitimate link which directs the browser to a non-existent URL, causing the navigation cancelled page to appear, which prompts an IE7 refresh.

Malicious script redirects users who click the navcancl.htm to "refresh the page" and links to a phishing site mirror of the requested page, where the sole differential is the site's certificate.

The exploit uses a design flaw in IE7 which removes the URL of the local resource and leaves the provided URL (eg: res://ieframe.dll/navcancl.htm#http://www.computerworld.com.au, which will be displayed as http://www.computerworld.com.au)

Craig Searle, technical team leader at security company SIFT, said the zero-day exploit could wreak havoc because a false sense of security exists with users believing IE7 is more secure.

"It is an effective cross-site scripting attack because it ships effectively with IE7 and can work on any site," Searle said, adding he has never before seen an exploit of this type.

"It could be very effective and hit a lot of users if it was hosted on a stock market forum as a link to a legitimate site because they can display whatever URL they want.

"It's no longer about sites being vulnerable to cross-site scripting, it's about the browser itself being vulnerable and it will become even more difficult for users to combat this."

He said the legitimacy of the exploit will fool even the tech savvy unless they check the site certificate.

"The certificate would be invalid if you compare its contents to what is being presented by the Web site," he said.

Neal Wise, director of security consultancy Assurance.com.au, said the exploit's reach is bolstered because it is difficult to get users to validate site certificates.

"It is very difficult for users to determine what is a trusted site and what isn't - you can point users to certificates all you want," Wise said.

"Either someone is already looking at how to incorporate the exploit or they already have.

"With functions and features there are always issues. However, external [sources] shouldn't be allowed to influence internal application operations, unless it is absolutely necessary."

Wise said Web browser designers need to be particularly vigilant about being influenced by the content they render.

Join the newsletter!

Error: Please check your email address.

More about MicrosoftSymantecWebSideStory

Show Comments

Market Place