In the past few days a new vulnerability was discussed publicly: a Cross Site Scripting (XSS) vulnerability against a local resource in MSIE 7 on at least Windows XP and Vista.
The vulnerability is in a local page displaying a "Navigation to the webpage was canceled" message with a "Refresh the page" link. An attacker can send a browser following a crafted link to this local resource, making it display a faked address on the address bar and using scripting to make the refresh this page link into go to a page of his/her choice. Do not mix the refresh this page link with the refresh button on the browser. This might be useful in a phishing attack, but it does sound rather complex and requires the user to jump through the hoops. CVE-2007-1499 (NIST's version), Mitre's version should get updated at their next update of the website. I've also update the "missing Microsoft patches" table, so we'll track it. -- Swa Frantzen -- NET2S |
Swa 760 Posts Mar 17th 2007 |
Thread locked Subscribe |
Mar 17th 2007 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!