Two vulnerabilities impacting Internet Explorer 7 and Windows Vista are being scrutinized by Microsoft. The Redmond Company is currently investigating two low risk flaws identified in Internet Explorer 7 and Windows Vista. Microsoft is not considering any of the two bugs as presenting a high-risk to customers.

The vulnerability affecting Internet Explorer 7 is related to an error in the "onunload" events management in the browser. The flaw "could be exploited by attackers to spoof the displayed address bar by tricking a user into entering a trusted URL manually in the address bar while visiting a malicious web page," informed the French Security Incident Response Team.

Via the onunload IE7 vulnerability, an attacker can trap users in a malformed web page while tricking them into thinking that they have navigated to a genuine address. There is a great chance that the onunload flaw will be used in spoofing phishing attacks.

Microsoft is also evaluating a new flaw in Windows Vista. The Microsoft Windows ReadDirectoryChangesW() vulnerability was attributed a low severity rating. "A weakness has been identified in Microsoft Windows, which could be exploited by malicious users to disclose sensitive information. This issue is due to an error within the "ReadDirectoryChangesW()" API that does not properly validate user's permission for child objects when retrieving information regarding objects that they do not have "LIST" permissions for, which could be exploited by local attackers to gather information about protected files (e.g. their names), facilitating further attacks," revealed the French Security Incident Response Team.

Currently, Microsoft has two Windows Vista vulnerabilities under investigation. Both present a low risk to users.