The vulnerability reporting firm said that an anonymous tip lead them to the vulnerability, which allows the browser to display a popup with a spoofed address bar that has special characters appended to the URL. The vulnerability makes it possible to only display a part of the address bar, which could potentially fool users into believing in the pop-up's credibility.
The hole is listed as a "less critical" vulnerability by
Secunia, which has a demonstration of the vulnerability on its site.
According to Thomas Kristensen, Secunia CTO, it might be possible for the vigilant user to spot something that isn't quite right when a pop-up occurs, but he is worried about the danger to average users.
"This is the kind of spoofing vulnerabilities that (
Microsoft) IE7 was supposed to be better at protecting against than its predecessor," said Kristensen. "Any user not wearing the paranoid glasses is easily fooled by this trick - despite the built-in anti-phishing mechanism being enabled."
Only in its first week since
release, IE7 has already seen a pair of its vulnerabilities reported to the public. Just hours after the browser was first distributed,
Secunia warned of an error in redirection handling for URLs with the mhtml: URI handler.
Click here to email Ericka Chickowski.