Attackers could exploit a new flaw in Internet Explorer 7 (IE 7) to launch phishing expeditions, Israeli vulnerability researcher Aviv Raff warned in a posting on his blog Wednesday. Microsoft said it is investigating his findings. (full article).

“In his blog, Raff said an attacker can create a specially crafted navcancl.htm local resource link with a script that will display [the] fake content of a trusted site, such as a bank, Paypal or MySpace URL. When the victim opens the link sent by the attacker, a “Navigation Canceled” page will be displayed and the victim will think there was a site error and try to refresh the page.

“Once he will click on the ‘Refresh the page’ link, the attacker’s provided content will be displayed and the victim will think that he’s within the trusted site, because the address bar shows the trusted site’s URL,” Raff added in his blog.”