Jj's web stream

IE recent phishing vulnerability

Today I read about the recent phishing vulnerability in Internet Explorer, In the Secunia page they had a test page, so I gave it a shot from work.

Internet Explorar is vulnerable

Of course, I also tried with Firefox

Firefox is safe

The function StartTest is the one called to open the phished window:

function openWin(url)


 window.open(url, 'window');


function StartTest()



 setTimeout("openWin('/19521_swf/?" + Math.random() + "');", 300);

 setTimeout("openWin('/19521_swf_result/');", 2500);


The vulnerability is caused due to a race condition in the loading of web content and Macromedia Flash Format files (".swf") in browser windows. This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.

From the Secuania website.