Windows 8 has a major phishing security risk

As we have reported in many of our posts, there are quite a large number of feature and security improvements in Windows 8, which is expected to release in the last quarter of this year. But, security analysts are now saying that with new features also come some security risks, too. One such major risk is phishing.

Internet Explorer 10 running under Windows 8 Metro looks pretty nice and neat, and expands over the whole desktop to fully utilize screen real estate. Security experts at McAfee have reported that this full-screen feature of Windows 8 Metro poses a serious security risk. By default, the address bar is hidden for Internet Explorer 10 in Windows 8 Metro. This means that the users will not be able to know the domain in which they are in. This lack-of-URL-bar might help phishing sites to exploit the non-visibility of the URL bar. Confused? Let’s look at an example.

Look at the following two screenshots; one of is PayPal while the other is of a fake PayPal website (click on the images to enlarge them):

Do you know which one is the real PayPal website? Yeah, it is difficult without being able to see the URL, isn’t it. The second one is the real one.

If you are as confused as us in the above example, there is no need to panic. Windows 8 Metro does give users the option to manually enable the URL bar. If the URL bar is set to be visible, then the URL bar will turn green while browsing secure websites, making the genuineness easily identifiable to the user (though there are attackers who spoof secure connections — that is a story for another time). Turning on address bar visibility will help users to easily find what domain they are on.

Experts say that the address bar should be programmed to automatically reveal itself whenever the user is on a page that requests login details. Furthermore, the fairly large number of new features such as WebSockets, HTML5, cross-domain messaging, the support for Web Workers within JavaScript apps, and postMessage all bring with them a new attack surface.

“Malware may require only active browser instances to start and propagate instead of executable control over the entire system,” McAfee Security Architect Prashant Gupta explained. “Proactive measures from antimalware solutions would be the most effective defense in this case because JavaScript is notoriously mutable, and executing JavaScript in a browser is more common for users than running downloaded applications on the desktop.”

This reporter hasn’t fully explored Windows 8 so there may be a compensating feature for phishing scams which I don’t know about; but it is extremely shocking the brains at Microsoft didn’t see this coming when they decided to go full-screen. Feel free to reflect in the comments below.

[via Softpedia | Image Credit: McAfee]

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

3 comments

  1. James

    “This reporter hasn’t fully explored Windows 8 so there may be a compensating feature for phishing scams which I don’t know about;”

    This is obvious. IE10 metro pops up the url bar on navigation. It is brightly coloured based on security credentials (bad cert = bright red)

    This url bar stays visible until the user interacts with the page.

    Compare to chrome in fullscreen mode. I prefer the chrome browser but this article is just bad journalism.

  2. SuperGumby

    My comment to a friend who pointed out this article:

    do you have any users who know where the address bar is? Let alone look at it?

    Having just spoken my 37 thousandth user through ‘no, don’t type it into google, put it in the address bar’ I find this a bit of a ‘non-sequitor’.