And we have yet another major security hole in Microsoft Internet Explorer. And this one’s fairly easy to understand and almost as easy to exploit, which is bad news for anyone who uses IE.
Basically, IE can fool the user into thinking that it is showing Site A, when in fact it is showing Site B. Click here for my specially-prepared demonstration. Note that this demonstration is safe and does not in itself constitute a security risk, it merely demonstrates the problem. But then again, why should you trust me?
This bug is not good. For example: You see a link that looks like your online banking service, you click on it and it looks like the right web site and has the correct address in the address bar. Except it’s actually something else – someone trying to con you into leaving sensitive information (such as usernames and passwords or other personal data).
For a technical description of how the bug can be exploited, see the advisory from the Danish security company Secunia. Given that I created the test exploit in about half a minute, it doesn’t take a rocket scientist to figure out that this bug could give rise to a lot of problems.
Oh, and Microsoft are investigating. But seriously, folks, don’t you think it’s time you installed something better now? Yes??
Why does this really matter? Most stupid users never check the title bar in any case- this won’t really make their situation any worse.
Permalink… this won’t really make their situation any worse.
I disagree. There is the potential more for clueful users to be caught by this one too. Of course, checking SSL certificates will help, as will including some sort of “you are actually going to site A, but you may think it’s really site B” popup warning from the browser. I believe Opera already does this.
PermalinkSame sort of people will fall for this who for the 419 scams (some have even been known to continue sending money *after* they know it’s a scam in the vain hope they’ll actually get something back).
Permalink