IE Bug Makes 'Spoofing' More Believable
Normally, it is easy to spot a spoofed or fake Web site if the user knows what he or she is looking for. However, a new IE flaw discovered by Danish company Secunia may change all that. Researchers found a way that a scammer could make a fake Web site look real -- right down to the URL of the real site.
What is troubling for Microsoft is that the bug was discovered in the IE version shipped with XP Service Pack 2, touted by the company as much more secure than its predecessor. The bug could occur in any Internet Explorer running ActiveX controls, although Secunia says it has only tested for the bug on XP computers.
"The problem is that users can't trust what they see in their browsers," Secunia Chief Technical Officer Thomas Kristensen told BetaNews. "This can be used to trick users to perform actions on what they believe is a trusted Web site, but actually these actions are recorded and controlled by a malicious site."
Kristensen said it was not necessary to alert Microsoft to the problem as the company watches the same mailing lists where the findings were posted, so they should be aware of the issue.
In a statement to BetaNews, Microsoft said that they are aware of the situation, although they have not received any reports of attacks attempting to take advantage of the vulnerability.
However, Microsoft found it "irresponsible" that the problem was not reported directly to the company. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests," Microsoft said.