Phishing hole found in IE 7, says developer

Microsoft is investigating a possible vulnerability in Internet Explorer 7 that could help cyber crooks launch phishing scams.

An attacker can use an error message displayed by the latest Microsoft browser to send web surfers to malicious sites that will display with the address of a trusted site, such as a bank, Aviv Raff, a developer in Israel, wrote on his website. Raff included an example where the error message directs the surfer to a site of his or her choice.

Microsoft is looking into the issue, a representative said. "Microsoft is not aware of any attacks attempting to use the reported vulnerability," the representative said in an emailed statement. "Microsoft will continue to investigate... to help provide additional guidance for customers as necessary."

The vulnerability relates to the message IE displays when web page loading is aborted, Raff wrote. An attacker can rig the message by creating a malicious link. The message will offer a link to retry loading the page; hitting it brings up the attacker's page but showing an arbitrary web address, he wrote.

To launch a phishing attack, an attacker can create a web link that purports to go to a trusted site, such as a bank. When clicked, the link results in a rigged error page. Following the reload link on that page will display the attacker's website with the address of the trusted site in the IE 7 address bar, Raff wrote.

IE 7 on Windows Vista and Windows XP are affected, Raff wrote.

Joris Evers writes for CNET News.com