14 June 2004 Microsoft has discovered four more flaws in its Internet Explorer web browser that could allow hackers to use fake Internet banking sites to fool unwary users into giving away their login names and passwords.
The net security watchdog, the Computer Emergency Response Team (CERT), issued the warning after discovering signs that four new holes have been discovered in the Internet Explorer (IE) web browser that could allow hackers to use a phoney web address to intercept and download software. Vengeful hackers would then have access to data and files on the PC concerned.
Two of the vulnerabilities allow hackers to hide the real location of a web page by using unauthenticated web pages, while simultaneously displaying a bona fide URL. Hackers are able to hide the fictitious URLS by typing in the characters ‘::/’ before the URL. Users are then tricked into clicking on the bogus web sites by the use of email message prompts or links from other Web pages.
Another unpatched flaw, called ‘cross zone scripting’ tricks users into believing that they are in ‘relaxed’ security zone, such as those applied to files stored on the local hard drive or those from trusted web sites.
The combination of these vulnerabilities provide a virtually fool-proof recipe for online conmen: hackers can use fake URLs to load content from a site, then use the cross zone scripting holes to make sure they work in a what the user thinks is a trusted security zone.
All the holes are variations of those found in IE during the past two years. Using these known flaws in IE, hackers can keep inventing new strains to play on flaws in the design of the software programme.
In particular, Microsoft’s implementation of security zones into which Web pages can be grouped is deeply flawed, as is code in IE for assessing what level of security to apply to a particular URL.
Microsoft hopes to have address the problems in time for its monthly release of security patches.