Another Unpatched Vulnerability in Internet Explorer

[Wiz Feinberg]

Microsoft Internet Explorer OnUnload Javascript Browser Entrapment Vulnerability

IE vulnerable to user-trapping flaw

Internet Explorer is vulnerable to a JavaScript flaw that could allow a hacker to trap a user on an infected Web page. A hacker can manipulate a user's address bar to make it look like the user has navigated away from a page that he or she is, in fact, trapped on.

This is possible because the flaw allows a hacker to spoof the address in the address bar. Even manually typing in an address in the address bar won't protect you from this flaw. All the hacker has to do is fake the contents of a trusted Web site to create the perfect environment for phishing.

This vulnerability has been confirmed in IE versions 6 and 7, regardless of what OS the browser is installed on. Firefox 2.0 was also vulnerable to a similar flaw, but this bug was fixed in Firefox 2.0.0.2, which was released last week.

Workaround #1:
Switch to Firefox to browse the Internet, or if you don't want to use Firefox, then the next best thing to do is to Disable "Active Scripting" in your Internet Options > Security tab > Custom Level, in Internet Explorer, until this JavaScript flaw is fixed.

Workaround #2: Solution:
Close all Internet Explorer browser windows after visiting untrusted websites.

Vulnerability reported by Michal Zalewski and Jakob Balle (Secunia Research)