Danish security company Secunia has found its second flaw in IE7, to which Microsoft has responded swiftly.
The flaw lets hackers put a fake web address in a pop-up window, and could trick users into downloading from what looks like a secure website. The hacker can add special characters to the end of the web address so that only a part of the URL is displayed.
Microsoft's Christopher Budd has quickly posted an entry to the Security Response Center Blog, agreeing that there is an “issue with how URLs are displayed in the address bar. Specifically, we've seen that this occurs in a pop-up window after a user clicks a specially formed link on an untrusted website or in an untrusted email”.
He explains further: “Now, while the full URL is actually present in the address bar, the left part of the URL is not initially displayed. But, you can see the full URL if you either click in the browser window or in the address bar and then scroll within the address bar”.
The flaw is rated as “less critical” by Secunia, and Budd writes that Microsoft isn't aware of any attacks exploiting this flaw, but that the team is keeping an eye on it. He uses the rest of the entry to explain Microsoft's Anti-Phishing filter in IE7 and how it can protect against attacks exploiting flaws like the one Secunia has found.