Phishing using IE7 local resource vulnerability

2007.03.21

Credit: avivra

Risk: Low

Local: Yes

Remote: No

CVE: CVE-2007-1499

CWE: CWE-79

CVSS Base Score: 4.3/10

Impact Subscore: 2.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

Summary
Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its
local resources. In combination with a design flaw in this specific local
resource it is possible for an attacker to easily conduct phishing attacks
against IE7 users.

Affected versions
. Windows Vista - Internet Explorer 7.0
. Windows XP - Internet Explorer 7.0

Workaround / Suggestion
Until Microsoft fixes this vulnerability, do not trust the "Navigation
Canceled" page!

Technical Details and Proof-of-Concept
Can be found here:
http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourceVulnerabi
lity
.aspx

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Phishing using IE7 local resource vulnerability

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.