Secunia has found a second security hole in the latest version of Internet Explorer, just a week after its launch, that could put users at risk to an online attack.
The bug allows hackers to place a fake web address in one of the browser's pop-up windows, and could be used to trick a victim into inadvertently downloading something from what appeared to be a trusted website. Based on its initial investigation, Explorer manufacturer Microsoft believes that there is "an issue", a spokesman for the software giant admitted.
While the full URL of the web page being displayed is present in the pop-up Window's address bar, the left part of this URL is not initially displayed, the spokesman said. That could allow an attacker to spoof a legitimate website, Secunia said.
Microsoft's confirmation comes after a similar event last week, just hours after Explorer 7 was released, when Secunia said it had found a hole in the browser. Microsoft fired back that Secunia's report was "technically inaccurate" because the flaw lay in a component of Microsoft's Outlook Express email client, which was simply triggered by the browser, rather than in the actual browser itself.
Secunia was not impressed with that response either, with its CTO Thomas Kristensen retorting: "From a technical point of view, Microsoft might be right, but from a user's point of view, or an administrator's point of view, it doesn't really matter. Internet Explorer is the vector. It was probably unnecessary to go out and try to blame Outlook in that way."
Neither of the bugs is considered to be particularly critical. But coming so soon after the launch, they are embarrassing, especially when Microsoft has made much of its focus on delivering secure software.