SEATTLE – Security researchers on Monday warned of a vulnerability in Internet Explorer 7 that could allow malicious attackers to alter content in a legitimate Web site’s pop-up window.
The browser flaw could affect users who visit a trusted site by opening a pop-up window in that site but containing malicious code, CNET News.Com reported. This is the second IE 7 flaw that has been discovered since Microsoft released the browser two weeks ago. Last week, a security flaw was discovered in IE 7 that could spoof the address of a pop-up window.
The two IE 7 flaws, if used in conjunction with each other, can easily dupe all but the most security-minded users, said Thomas Kristensen, chief technology officer of security company Secunia, which discovered the flaws.
Microsoft is looking into the issue, a company representative said.
Secunia rated the most recent flaw as “moderately critical” because viewing the content does not provide attackers access to a user’s computer. But it can still prove harmful if a user enters sensitive information into the malicious pop-up window, such as credit card information, usernames or passwords, Kristensen noted.
The vulnerability is also rated moderately critical because it requires user interaction and affects only particular trusted Web sites.
Secunia noted that the security flaw can affect a fully patched system running IE 7 and Microsoft Windows XP Service Pack 2.
The security company advises users to avoid browsing untrusted sites while browsing sites that they trust.
