http-equiv has identified a vulnerability in Internet Explorer, allowing malicious web sites to spoof the file extension of downloadable files.
The problem is that Internet Explorer can be tricked into opening a file, with a different application than indicated by the file extension. This can be done by embedding a CLSID in the file name. This could be exploited to trick users into opening "trusted" file types which are in fact malicious files.
Other thing, Microsoft plan to launch a patch to disallow the format username and password in the URL, like user:password@mysite.com.
"This decision (to remove the behavior) has been a long time coming. Removing this feature will go a long way towards preventing IE users from being taken by phishing scams," said WhiteHat Security founder Jeremiah Grossman. As more IE users patch, phishing scammers will need to resort to other methods."
Phishing schemes are socially engineered attacked intended for the sole purpose of obtaining site passwords, credit card numbers and other personally identifiable information.
Commenting on its decision, a Microsoft spokesperson told BetaNews, "This change in functionality will improve user security because the use of this URL syntax can potentially expose the user's name and password in plain text within the URL for the displayed page. An example of the security danger is that in a cross-frame or hidden-frame scenario, script in pages from visited Web sites can easily access the URL, parse it, and determine the username and password for other sites."
Previous Topic
