A vulnerability in Microsoft's Internet Explorer (IE) browser could help fraudsters make phishing websites appear legitimate, a security researcher has warned.
The flaw lies in the way IE7 processes a locally stored error message page that is typically shown when a user cancels the loading of a web page, security researcher Aviv Raff warned.
The error message tells the user: "Navigation to the webpage was cancelled," and offers the opportunity to "refresh the page". If the refresh link is clicked, IE can be tricked into displaying the wrong web address for a page.
Raff has published proof of concept code that shows how IE can be made to display a web page on his website as if it is from the cnn.com domain.
The flaw could be exploited by phishers who want to make their spoofed websites appear legitimate, Raff said.
"I can inject a script that will display anything I want in the page when the user clicks the 'refresh' link," he said. "Combining this with the design flaw, an attacker can render in the browser whatever he wants with whatever URL he wants in the address bar."
This type of bug is known as a cross-site scripting vulnerability. It affects IE7 on Microsoft Windows Vista and Windows XP, Raff added.
Microsoft said it was investigating the issue, but was not aware of any attacks attempting to use the reported vulnerability or of impact on users so far.