IE Address Bar Issue



This is Christopher Budd.  I wanted to take a moment and let people know some information about a new public report about a possible vulnerability in Internet Explorer we’ve received today. As soon as we learned of the report we started an investigation into the issue and we have some information we can share on this.


First, this is an issue with how URLs are displayed in the address bar. Specifically, we’ve seen that this occurs in a pop-up window after a user clicks a specially formed link on an untrusted website or in an untrusted e-mail.


Now, while the full URL is actually present in the address bar, the left part of the URL is not initially displayed. But, you can see the full URL if you either click in the browser window or in the address bar and then scroll within the address bar.


We’re not aware of any attacks that are attempting to use this, but as always we will continue to monitor the situation throughout our investigation.


Now, our general guidance as far as things you can do to help protect yourself against phishing attacks can help protect here. Specifically that you should never enter personal information into a website unless you’ve verified the server’s name by using SSL. We talk about this on our website here.


The other thing I wanted to mention is that in IE 7, the Microsoft Phishing Filter can help protect should any phishing sites attempt to exploit this issue in a couple of ways.


First, the Phishing Filter’s browser-based heuristics can help to protect you. These heuristics analyze Web pages in real time and then can warn you about suspicious characteristics if it finds any on the page. If someone attempts to use this issue in a phishing site, the Phishing Filter’s heuristics may detect that site as such and warn you.


Another way the Phishing Filter can help protect you is through our online service. If a site that attempts to exploit this issue is reported to us and confirmed to be a phishing site, we will add it to the Microsoft Phishing Filter’s online service and it will be flagged as a phishing site when viewed in IE7.


The Microsoft Phishing Filter online service is designed to allow us to update it fairly quickly with information as sites are reported and confirmed by us. As sites are added to the online service, this information is made available to all users running IE7 which provides protections broadly to customers quickly.


If you’re new to the Microsoft Phishing Filter, (like I am), it might be good to know how you can report a site that you believe is a phishing site. You can report a site you suspect as a phishing site in the IE7 tools menu under Phishing Filter by clicking on “report this website.” You can also report a site that is flagged as suspicious you believe is a phishing site by clicking the “report this website” link in the IE7 warning badge.


Note too that you’ll need to be sure to “opt-in” to use the Phishing Filter.


We do have this issue under investigation and as always, once we complete our investigation we’ll take appropriate steps to protect our customers.


I hope this helps to clarify things.





*This posting is provided “AS IS” with no warranties, and confers no rights.*