After only a few weeks on the market, Microsoft's Internet Explorer 7 browser contains flaws that threaten the security of the user and make him vulnerable to malicious attacks. The most recent flaw concerns pop-ups containing malicious code appearing on legitimate websites. Add to that the spoofing flaw discovered last week in IE7, and you get a security threat that most users would do well to be wary of.
According to the Danish security provider Secunia, a vulnerability has been discovered today. It allows hackers to inject content into a user's site window if the user knows the name of the target of the window. If a user visits a site developed by a hacker for this purpose, then opens another site, a trusted site, the latter can insert content in the popups that the site can contain.
Although it does not allow the hacker to access the user's computer or control it, the flaw may nevertheless collect a user's personal information if that user This enters usernames, passwords, or account numbers in the window. Because targeted websites are legitimate and trusted sites, hackers are much easier to take advantage of even more sophisticated security users.
This flaw is a repeat of an IE6 problem, reported for the first time in 2004.
The Secunia website indicates that the company has created a test for users who suspect they have been tampered with, available at the following address: http://secunia.com/multiple_browsers_window_injection_vulnerability_test/. To avoid this vulnerability, Secunia's experts advise users to avoid simultaneously browsing trusted sites and untrusted sites. Since the flaw is IE7-specific, it may also make sense to use a different browser until a patch for IE7 is issued.
"Impersonation" refers to the occurrence of a program masquerading as another using false data in order to access a user's information. In the case of this particular IE7 vulnerability, users can check the URL of the pop-up window to make sure it is this one that is affiliated with the site they are consulting.
Microsoft has been notified of the problem and is currently searching for it. To date, no hotfix has been released for one or the other flaw. No exploit of the flaw has been reported.