TITLE:
Internet Explorer 7 "onunload" Event Spoofing
Vulnerability
SECUNIA ADVISORY ID:
SA23014
VERIFY ADVISORY:
http://secunia.c
om/advisories/23014/
CRITICAL:
Less critical
IMPACT:
Spoofing
WHERE:
>From remote
SOFTWARE:
Microsoft Internet Explorer 7.x
http://secunia.com/
product/12366/
DESCRIPTION:
Secunia Research has discovered a vulnerability in Internet
Explorer
7, which can be exploited by a malicious website to spoof
the
address
bar.
The vulnerability is caused due to an error in Internet
Explorer 7's
handling of "onunload" events, enabling a
malicious website to
abort
the loading of a new website. This can be exploited to spoof
the
address bar if e.g. the user enters a new website manually
in
the
address bar, which is commonly exercised as best practice.
The vulnerability is confirmed on a fully patched Windows XP
SP2
system running Internet Explorer 7. Other versions may also
be
affected.
SOLUTION:
Close all browser windows after visiting untrusted
websites.
ORIGINAL ADVISORY:
Secunia Research:
http://se
cunia.com/secunia_research/2007-1/
OTHER REFERENCES:
Michal Zalewski:
http://lists.grok.org.uk/pipermail/f
ull-disclosure/2007-February/052630.html
============= PCWorks Mailing List =================
Don't see your post? Check our posting guidelines &
make sure you've followed proper posting procedures,
http://pcworkers.com/r
ules.htm
Contact list owner <owner-pcworks imagicomm.com>
Unsubscribing and other changes: http://pcworkers.com
=====================================================
|
