Security researchers have discovered a vulnerability in Internet Explorer 7.0 that might lend itself towards the creation of more convincing phishing attacks.

The cross-site scripting (XSS) bug creates a means to replace local page displaying a "Navigation to the webpage was canceled" message with a "Refresh the page" link. "This might be useful in a phishing attack, but it does sound rather complex and requires the user to jump through the hoops," the SANS Institute's Internet Storm Centre notes.

The flaw is perhaps more noteworthy for been among the first to affect IE 7 rather than the immediate threat it poses. Microsoft is investigating reports of the bug.

Meanwhile SANS has added the flaw to its list of unpatched Microsoft security vulnerabilities, as a secondary concern. The most pressing flaw remains a Word vulnerability that permits remote code execution, discovered in February. ®

Related stories

• Unholy trinity of flaws put Google users at risk (24 September 2007)
• YouTube 'riddled with 40-plus security vulnerabilities' (20 June 2007)
• Yahoo! fixes bug that gave free rein to user accounts (15 June 2007)
• Strange spoofing technique evades anti-phishing filters (25 May 2007)
• Interview Day dawns for Metasploit 3.0 (2 April 2007)
• Review Vista security overview: too little too late (20 February 2007)
• IE and Firefox blighted by fake login flaw (23 November 2006)
• Firefox outshines IE in phish fight (15 November 2006)
• Security rivals tried to 'castrate' Vista - Gates (10 November 2006)
• Old bugs blight shiny new browsers (30 October 2006)
• IE7 spoofing bug pops up (26 October 2006)
• MS and researchers split hairs over first IE7 flaw (20 October 2006)
• Information disclosure bug blights IE7 release (19 October 2006)
• IE7 unleashed (19 October 2006)