Bug Spoofs Internet Explorer Addresses

Microsoft's Internet Explorer, already stunned with a bug currently being used by hackers to infect PCs with spyware, suffers from yet another vulnerability, a researcher said Tuesday.

The bug affects how the browser loads Flash files, which use the ".swf" extension. Attackers can use a Flash file to spoof the address bar in IE to disguise the true URL of the site being viewed. Address bar spoofing is a long-time phishing tactic that's used to masquerade the bogus URL.

(Oddly enough, recent research by a trio from Harvard and Berkeley shows that few surfers use the browser address bar to detect fake sites.)

Danish vulnerability tracker Secunia rated the IE spoof as "less critical," in part because the name of the Flash file appears in the browser window.

To protect against such a spoof, Secunia recommended that users disable IE's Active Scripting feature, advice also given by Microsoft to deflect attacks exploiting the createTextRange vulnerability that the Redmond, Wash. developer promised would be patched no later than April 11.