IE 5 Subject to Frame Spoofing
Reported November 30, 1999 by Georgi Guninski
Internet Explorer 5.0 under Windows 95 (guess other versions are affected) with its default security settings allows frame spoofing. The problem is setting the location of a frame to an arbitrary URL without updating the address bar.
This vulnerability allows misleading the user he is
browsing a trusted site, while in fact he may be browsing a hostile site which might be
A live demonstration is available at http://www.nat.bg/~joro/msfrspoof.html
Adjust the security settings of IE. In particular, set the "Navigate sub-frames across different domains" security option (under Tools, Internet Options, Security) to Disable
Microsoft is aware of this matter but has issued no response to date.
Discovered by Georgi Guninski