Another IE 7 pop-up problem discovered

Browser glitch could enable malicious attackers to alter content in a trusted site's pop-up window.

Dawn Kawamoto Former Staff writer, CNET News
Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.
Dawn Kawamoto
2 min read
Security researchers on Monday warned of a problem in Internet Explorer 7 that could allow malicious attackers to alter content in a legitimate Web site's pop-up window.

The browser issue could affect users who visit a trusted site by opening a pop-up window in that site that contains malicious code. This is the second IE 7 problem that has been discovered since Microsoft released the browser two weeks ago. Last week, a security flaw was discovered in IE 7 that could spoof the address of a pop-up window.

The two IE 7 security holes, if used in conjunction with each other, can easily dupe all but the most security-minded users, said Thomas Kristensen, chief technology officer of security company Secunia, which discovered the problems.

Secunia has classed the latest problem a security vulnerability, while Microsoft states the situation arises from "by-design behavior" in the browsers.

"The (Secunia) report describes a by-design behavior in popular Web browsers that allows a Web site to open or re-use a pop-up window," a Microsoft reprensentative said. "In Internet Explorer 7, the Web page's actual URL is displayed in a pop-up window address bar, enabling users to accurately make a trust decision."

Microsoft said that people who follow its safe browsing guidelines and verify an HTTPS connection before entering sensitive personal information can increase their ability to guard against an exploit.

Secunia rated the most recent flaw as "moderately critical" because viewing the content does not provide attackers access to a user's computer. But it can still prove harmful if a user enters sensitive information into the malicious pop-up window, such as credit card information, usernames or passwords, Kristensen noted.

The vulnerability is also rated moderately critical because it requires user interaction and affects only particular trusted Web sites.

Secunia noted that the security flaw can affect a fully patched system running IE 7 and Microsoft Windows XP Service Pack 2.

The security company advises users to avoid browsing untrusted sites while browsing sites that they trust.