If you use Internet Explorer 7 and Internet Explorer 7 on Windows Vista, you might fall in a freshly dug cross-scripting hole. The newly discovered vulnerability impacting Internet Explorer was reported by security researcher Aviv Raff. "Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources. In combination with a design flaw in this specific local resource it is possible for an attacker to easily conduct phishing attacks against IE7 users," Raff explained.

According to Raff, the vulnerability does not require the exploit of any additional third-party software bundled with IE. Instead, an attacker could potentially open a local resource in the browser via a redirection header and bypass the browser's security restrictions. The Internet Explorer 7 navcancl.htm Cross-Site Scripting vulnerability will not receive a high severity rating from Microsoft, as it does not allow for remote code execution, but it can be used in phishing attacks. In this regard, security company Secunia has labeled it as a Less Critical flaw.

"An input validation error exists in the local resource page "navcancl.htm" when generating the "Refresh the page" link. This can be exploited to inject arbitrary script code to e.g. spoof the contents of an arbitrary site when the user clicks on the "Refresh the page" link," Secunia revealed.

In order for a successful attack to take place, an attacker will have to create a malformed navcancl.htm local resource link together with a script designed to display spoofed content of a trusted website. Internet Explorer uses the navcancl.htm local resource when navigation to a page is canceled. In order for an attack to be performed, the user has to hit the Refresh button in IE.

"When the victim will open the link that was sent by the attacker, a "Navigation Canceled" page will be displayed. The victim will think that there was an error in the site or some kind of a network error and will try to refresh the page. Once he will click on the "Refresh the page." link, The attacker's provided content (e.g. fake login page) will be displayed and the victim will think that he's within the trusted site, because the address bar shows the trusted site's URL," Raff added.