Microsoft Internet Explorer XSS vulnerabilty could provide bite for phishers

Microsoft's Internet Explorer 7 (IE7) is vulnerable to cross-site scripting that could allow attackers to spoof a trusted site to launch a phishing attack. Vulnerability tracking firm Secunia ranks the flaw, discovered by Israeli researcher Aviv Raff, as "less critical."

Attackers are able to inject script into the "Refresh the page" link that appears on a webpage when navigation to a particular site is canceled. Cyberthieves can then lead unsuspecting users to a phishing site.

"The victim will think that there was an error in the site or some kind of network error and will try to refresh the page," Raff said on his website. "Once he will click on the "Refresh the page" link, the attacker’s provided content (e.g. fake login page) will be displayed and the victim will think that he’s within the trusted site because the address bar shows the trusted site’s URL."

Microsoft is investigating the "possible" vulnerability and was not aware of any customers being affected, a company spokesman told SCMagazine.com today in an email.