In the past few days a new vulnerability was discussed publicly: a Cross Site Scripting (XSS) vulnerability against a local resource in MSIE 7 on at least Windows XP and Vista.
The vulnerability is in a local page displaying a "Navigation to the webpage was canceled" message with a "Refresh the page" link. An attacker can send a browser following a crafted link to this local resource, making it display a faked address on the address bar and using scripting to make the refresh this page link into go to a page of his/her choice.
Do not mix the refresh this page link with the refresh button on the browser.
This might be useful in a phishing attack, but it does sound rather complex and requires the user to jump through the hoops.
CVE-2007-1499 (NIST's version), Mitre's version should get updated at their next update of the website.
I've also update the "missing Microsoft patches" table, so we'll track it.
Swa Frantzen -- NET2S
Mar 17th 2007
1 decade ago