IE 7.0 vulnerable to address bar spoofing
Despite Microsoft's security efforts and its inclusion of a phishing filter in Internet Explorer 7.0, an address bar spoofing vulnerability has been uncovered in the browser
just a week from its release. The vulnerability, which is rated
as "less critical" by Secunia, can allow a site to display a fake URL in IE 7.0's address bar without setting off the browser's anti-phishing protection. To its credit, Microsoft says the phishing filter will raise an alert anyway if a user browses to a site that's known to be part of a phishing scam, whether it uses the new exploit or not.
Nevertheless, the weakness is the second such vulnerability found in the new browser so far. The first vulnerability can allow one site to retrieve content from another via IE 7.0, potentially allowing a malicious site to fetch information from, say, an online banking site the user is using. However, this particular vulnerability lies with an Outlook Express component and not IE 7.0 itself, according to a Microsoft developer's blog.