New URL Spoofing Bug in Pre-SP2 IE

An anonymous reader writes "According to Netcraft a new security flaw has been found in Microsoft Internet Explorer which makes it possible to spoof a URL with just some simple HTML code, by enclosing two URLs and a table within a single href tag. The user will be sent to one site, but the status bar will show a fake URL. The bug apparently affects IE and Outlook Express up to but not including SP2. Firefox and Konqueror seem unaffected."

Comment removed

[account_deleted]

Comment removed based on user account deletion

Safari is affected also

[dereklam]

This exploit also affects Safari 1.2.3 on Panther.

Re:Safari is affected also

[v1]

Doesn't appear so here.

I just tested their spoof http://news.netcraft.com/archives/2004/10/29/new_u rl_spoofing_flaw_found_in_internet_explorer.html with Safari 1.2 (v125) and it shows 'google.com' in the address bar. I also tested Internet Explorer 5.2.3 on my mac and it also shows 'google.com' in the address bar.

So it would appear that the mac is (at least for the two main browsers of choice) not affected by this security hole.

Re:Safari is affected also

[johnbeat]

On Safari 1.0.3 on Jaguar it is sort of but not really affected. My moving the mouse around the link, I see either "Open http://www.microsoft.com/ in a new window" or "Open http://www.google.com/ in a new window" in the status bar.

But whichever one I see in the status bar, that's the one Safari goes to when I click.

Jerry

Re:Safari is affected also

[dereklam]

I just tested their spoof http://news.netcraft.com/archives/2004/10/29/new_u rl_spoofing_flaw_found_in_internet_explorer.html [netcraft.com] with Safari 1.2 (v125) and it shows 'google.com' in the address bar

The exploit affects the status bar, not the address bar. With Firefox / Camino, when I hover the mouse over the microsoft.com link, the status bar reads "google.com". With Safari, the status bar reads "microsoft.com".

Re:Safari is affected also

Isn't the status bar disabled by default in Safari?

Re:Safari is affected also

[ZackSchil]

You know what? It is, but I've never seen a single Mac, even in an Apple Store, even is the most idiotic user's house, that does not have it turned on. Funny how things work that way.

Re:Safari is affected also

My Safari 1.2.3 is affected. So is OmniWeb 5.1 beta 3.

Re:Safari is affected also

[MightyYar]

The funny thing is that I didn't even know that Safari had a status bar until I read your post! Sure enough, you can enable it from the View menu, and sure enough, this "exploit" works.

Patch

Patch available here

Re:Patch

[scupper]

that was a beautifully executed patch release

Re:Patch

http://www.microsoft.com

Re:Patch

[Jeff+DeMaagd]

Some could say that one should update to service pack 2, but IIRC, there are just as many W2k installations as there are XP installations.

We've been through this before...

Bug in outdated software.

Why is this news?

Re:We've been through this before...

Because SP2 breaks things, and many organizations simply can't upgrade until those bugs are fixed in Windows, or their software vendors fix their software. MS should continue to update IE, since IE is not the only "fixed" part of Windows in SP2.

Re:We've been through this before...

[hexag]

Because people who don't update their software are a huge majority, they are also not the most tech savvy, thus more likely to fall for internet banking scams, which would be the main application for this flaw.

Just because you & I have fully patched up systems, doesn't mean everyone else has.

Re:We've been through this before...

[Overzeetop]

If you've got a big in-house project with 12 weeks of work remaning and 9 weeks of calendar time, who do you think is goint to approve applying a patch (SP2) taht could cause conflicts with your design environment?

Re:We've been through this before...

What a great idea! Instead of testing this major operative system change during development, you can just send it out to users and see if they have any compatibility issues. That'll save you loads of time over trying it yourself!

Re:We've been through this before...

[dn15]

It's news because it's a bug in software that most people use but will probably remain unfixed for anyone running Windows earlier than XP SP2. And I'm sure it helps that this is software that is not particularly popular with this crowd. ;)

Re:We've been through this before...

It's news because XP is getting stable enough that to make new articles, it's necessary to report on old unpatched versions... this just in, Red Hat Linux prior to all patches has many security holes!! OH NO!

It affects a bunch of browser, so I fail to see how pointing out that it affects OLD versions of anything is relevant.

Re:We've been through this before...

[redJag]

He's talking about the machines you're using for development, not testing. Needing to reformat a test machine is no biggie.

Re:We've been through this before...

[mattyrobinson69]

because:

a) windows 2000 is still supported (upgrades are available), yet microsoft will say XPSP2 is the patch for windows 2000 (its like saying the linux 2.4 series kernel is outdated software)

b) not everybody can migrate to SP2 because their software isn't compatible - to those people linux would be just as suitable to them to fix the problem, compared with SP2

Re:We've been through this before...

[Spacejock]

Because I've installed SP2 twice on my Windows XP box, and it stuffed it up both times. I had to Ghost my backed-up partition back again to fix it. (And I've had way too much XPerience with Microsoft service packs NOT to Ghost the partition first...)

With SP2 installed I get a blue screen at bootup with a string of meaningless error messages (your computer has crashed, basically) and an error 000000E7, which could be bad memory (unlikely, I run Linux on the same beast, an Athlon64 3400+), or it could be excessive bandwidth on USB devices (!) or apparently it could also be a bad driver.

Whatever it is, I can't install SP2 so I can't patch IE. Just as well I've been using Firefox since it was Phoenix 0.6.

Oh yeah, and I paid my thirty bucks to Spread Firefox. It's a seriously good browser.

Re:We've been through this before...

[Sputum]

It's only a bug in outdated software if you consider Firefox RC1 to have been outdated by its predecessor!

I'll get my asbestos suit.

Old/10

[jZnat]

I just know I saw this somewhere about an hour or two ago, and I'm pretty sure I saw it here on /., but I don't remember where. Oh well...

Old/10 (It's like walking with the dinosaurs! And Jesus is riding them! And the Dell Dude got arrested too! whoamg!)

Re:Old/10

[JonLatane]

It's in the first comment on the "NYT Firefox Campaign Raises $250,000" article.

Re:Old/10

[SimbaK2K]

It was on the mozilla $250k new york times ad compaign story.

Re:In other news ...

How big is NS4's market share? .5% maybe? IE? 90%+? It's also incredibly easy to do, can't be disabled by turning off JavaScript and there's no patch unless you're an XP user in which case you have to upgrade the whole OS.

Safari

[P-Nuts]

Worryingly, Safari is also fooled by the bug - the status bar shows http://www.microsoft.com/ before you click on the link, but the address bar in the resulting window correctly shows http://www.google.com/.

Re:Safari

[pe1chl]

That is the same thing IE does.

Safari Affected?

[TheGuinnesseur]

The article says:

"The flaw affects versions of IE up to 6.0.2800.1106 - which includes systems that haven't yet installed Windows XP SP2, but are current on all other critical updates from Windows Update - as well as the Safari browser for Macs."

Is it just me, or is that a typo? My version of Safari (1.2.3 v125.9) seems to handle their sample malformed tag just fine, displaying www.google.com as it should. Can anyone confirm or deny whether Safari is affected by this problem?

Re:Safari Affected?

[BandwidthHog]

Yes. Safari 1.2.3 (v125.9) is vulnerable on my fully patched (with the exception of the latest QT, as I'm something of an uptime whore) 10.3.5 machine. The status bar showed microsoft.com when hovering over the link on Netcraft's advisory page.

And in launching Safari to check, I was reminded once more how much more smoothly it scrolls than Firefox. Damn shame, that.

Re:Safari Affected?

my safari is not affected...same version as yours

Re:Safari Affected?

[caerwyn]

Safari *is* affected at 1.2.3 v125.9. Look at the status bar as you mouse-over the link before clicking; that's there the exploit is. This is not the same as previous exploits that showed a fake URL in the actual URL bar.

The link says www.microsoft.com, mousing over it pops up www.microsoft.com in the status bar in the lower left corner of the window. Clicking the link results in a page at google (with google url in the URL bar).

Re:Safari Affected?

[bmoore]

Interesting... VERY interesting... I also have Safari 1.2.3, v125.9. When I hover my mouse over the link, it shows www.microsoft.com in the status bar. If I click the link, I go to google, but if I r-click and choose "Open Link in New Tab" (or new window) I go to www.microsoft.com.

Odd. Very odd. Hopefully Apple will arrange for some consistency in operation soon.

Re:Safari Affected?

[SnprBoB86]

Some one please mod up the confirmations/denials of this

Re:Safari Affected?

[rthille]

Before I click on their sample link, I get 'microsoft.com' in my status bar at the bottom of the window. So, I would say the attack works.
Note that the address bar in the visiting window correctly shows google.com. Not sure that's the case with IE.

Re:Safari Affected?

No mod points here, but this comment is in complete agreeement with the behavior I observe using Safari 1.2.3 (v125.9) under 10.3.5 (updated to current with minor, presumably unrelated exceptions such as iPod and Bluetooth related updates)

Re:Safari Affected?

[MoonBuggy]

Same here, although even stranger is that I get the same behaviour as you when doing a ctrl+click -> 'Open in New Tab', but when using option+click to open in a new tab it goes to Google.

Lol, Mac fanboys have it too

[Xenu+Xenu+Xenu]

As usual on Slashot, truth takes a back seat to MS bashing

Re:Come on people!

Actually, more bugs are being found in Firefox than in IE right now. BUT, the firefox source is available, so people can look through it for bugs, AND Mozilla is giving away money for people who find security bugs, AND startup securty companies are trying to make a name for themselves by finding securtiy holes in Firefox.

I still say definately switch away from IE, but realize that other browsers have security holes too.

Pre SP2?

[jmartinp]

What does this mean for Windows 2000 users?

Re:Pre SP2?

[jZnat]

Try the link in Win2k IE (latest updates all included to make sure) and tell us what it means for Win2k users. I would assume pre-SP2 means EVERYTHING pre-SP2, including pre-XP OS's.

Re:Pre SP2?

[Cromac]

Or Windows 2003. Yes, it's a server OS and you shouldn't browse using your server but some companies, like the one I work for, uses Win2003 as the client for everyong in R&D (site license).

Re:Pre SP2?

[jmartinp]

You are assuming that I have a Win2K box available. I do not, I only wondered, as Microsoft only made some of the changes to IE available with XP SP2.

Re:Pre SP2?

VMWare or Virtual PC and Suprnova.org

Its a bug affecting OLD versions, this is patched. This is news? I dont think so, This is like reporting an old bug in firefox 0.01 and its patched now but yet crying foul. WOuld you hear about that ? No.

Re:Pre SP2?

My IE 6.2800.1106 SP1 + latest patches @ W2k goes to microsoft's site.

Re:Pre SP2?

[dn15]

What does this mean for Windows 2000 users?

It means they should get Firefox.
;)

Re:Pre SP2?

[general_re]

Well, hell - I happen to be sitting at a Win2k box right now, with a fully updated IE. I never use it - I'm a 'fox fan myself - but I do keep it patched. And the bug does appear to affect a fully up-to-date version of IE 6 (6.0.2800.1106) on Win2k - the status bar shows www.microsoft.com, rather than the actual link target of www.google.com. Doesn't strike me as much of a "hole", but it's there.

Re:Pre SP2?

[DoraLives]

What does this mean for Windows 2000 users?

Just fired up a spare W2kSP4 box that's running a couple of months behind in updates. The bug is definitely there.

I'm now downloading the latest Windows updates (dialup on that particular box, unfortunately) and will try again and see.

Re:Pre SP2?

[mattyrobinson69]

it means one of three things:

1) pay to upgrade to XP
2) 'pay' to upgrade to XP
3) your fucked

People will be saying bugs in outdated software - so what, but windows 2000 is comparable with the linux 2.4 kernel, its still maintained, but its not the latest.

(2.4 isn't considered old software)

Re:Pre SP2?

[Artemis]

Unless of course you're running Terminal Services, in which case the upgraded IE would be greatly appreciated.

Spoof doesnt work for me

Doesnt work for me. IE6 with Windows XP SP2. The status bar shows "www.google.com" and that's where it sends me.

Whoever said this affects all versions of IE clearly jumped the gun and needs to re-evaluate. When will the apology and retraction be issued? Will it make the front page on Slashdot?

Re:Spoof doesnt work for me

[Cromac]

What an amazing lack of reading comprehension. Everything from the summary to the article specifically says "PRE SP2".

Quote from the article: "The flaw affects versions of IE up to 6.0.2800.1106 - which includes systems that haven't yet installed Windows XP SP2,"

When will you apologize?

Re:Spoof doesnt work for me

might of expected a +1 flamebait mod for your comment
raging students with a hardon about MSIE dont like hearing the truth, but this is slashdot where immaturity is celebrated

A sample of what it looks like

[grahamsz]

http://graha.ms/iesploit.html

Doesn't seem like anything that couldn't be done with javascript.

Re:A sample of what it looks like

[AngryScot]

The point is this will work with scripting disabled.

This means people who think that they know where they are going could be fooled.

Saying that: If you know how/why to disable javascript I'm sure you would upgrade your IE or use firefox etc

Re:A sample of what it looks like

[pronobozo]

"Doesn't seem like anything that couldn't be done with javascript."

True.. but a point is that you can have java turned off thinking you are more secure, while this exploit doesn't require it.

Re:A sample of what it looks like

Hopefully you will one day learn the difference between Java and JavaScript.

Re:A sample of what it looks like

[pipingguy]

Javascript is not Java

Re:A sample of what it looks like

[pronobozo]

"Javascript is not Java" oh really? I didn't know that :-P Whether it's javascript or java the point is that if someone has java and javascript disabled thinking they are more secure there are ways that even with plain html, spoofing can occur.

Re:A sample of what it looks like

[Espectr0]

For me, on Safari in Panther, the link goes to microsoft.com. Weird, even more after seeing here that some people are affected

Re:A sample of what it looks like

[pipingguy]

Whether it's javascript or java the point is that if someone has java and javascript disabled thinking they are more secure there are ways that even with plain html, spoofing can occur

But Java is a fairly hefty program download as compared to JavaScript, which is built into most popular browsers.

That's a big difference as far as I can see.

Outdated?

Windows 2000 is still supported and there is no available fix for it other than installing a new browser. Some applications still require you to use IE, though.

Re:Come on people!

[tesmako]

Or possibly it should be apparent to IE users that installing SP2 several months ago really was a good idea.

Sure one can argue that one should not use IE, but this is not a terribly good reason or interesting news. It should be quite apparent to IE users however that if they haven't yet installed SP2 you need to do so right away. Running without it is just stupid.

Reading doesn't work for you either

New URL Spoofing Bug in Pre-SP2 IE

Pre-SP2, you know, versions prior to SP2?

You said this Slashdot story was inaccurate. When will the apology and retraction be issued? Will it make this comment thread?

Sort of ...

[Dlugar]

Just tested it with Opera 7.54 for Linux ... if you mouseover the actual text, "google.com" shows in the status bar, but if you position your cursor just exactly so that it's kinda over the URL, but not over any of the text, then you can get "microsoft.com" to show.

But I'm kind of confused as to why this is a big deal ... can't you just use Javascript to rewrite the status bar anyway?

Dlugar

Re:Sort of ...

[Captain+Splendid]

Well, a semi-savvy IE user could have javascript turned off...but yeah, this strikes me as no big deal either, just another slam at IE.

Re:Sort of ...

So you might think you're going to your bank's web page when in fact it's a "you been had" page.

Re:Sort of ...

[Dlugar]

In another thread somebody mentioned that if you turn off Javascript that this "URL Spoofing Bug" doesn't work either. Anybody with IE care to check it out?

Dlugar

Re:Sort of ...

Try the people on a href="http://blogs.msdn.com/ie/

Re:Sort of ...

[fbjon]

Opera 7.60 on Win2k is completely unaffected. The link say where it will go just as normal, except for the 1-pixel border around it, which also says where it will go just as normal.

Re:Sort of ...

[Tony-A]

IE 5, NT 4 SP6 virus-running stuff renamed. Unpatched for 2-3 years or so.
Shows http://www.microsoft.com
Same in status bar
Right-Click-down shows http:\\www.google.com in status bar
Right-Click-up shows context menu.

"The flaw is possible because Internet Explorer has difficulty processing improperly formed HTML. The attack opens one href tag, and then leaves that tag open while enclosing a second URL within a table. The browser displays the first URL in the status bar, but sends users to the second URL."

Such is the penalty for "working" with broken HTML.
Different browsers can be expected to have different opinions as to which is theURL that is encoded. Different opinions within the same browser is almost a guarantee of something exploitable.

Re:Come on people!

[Mattcelt]

IIRC, IE is the only browser that the US-CERT has issued a statement not to use due to security concerns.

What really worries me is how many U.S. Government agencies and defence contractors still use IE as their standard browser.

That's the point

It doesn't need to be done with Javascript. A lot of people disable Javascript to make themselves safer. Mozilla/Firefox of course lets you disable Javascript that changes the status bar text.

Firefox?

[jargoone]

Firefox and Konqueror seem unaffected."

That's good to know! In other news, Oracle is unaffeced, as is the price of tea in China!

In other news...

[blibloblu]

..it appears that a bug was found in Linux 0.1.

Re:In other news...

How can a Windows 2000 user, with an OS still supported by Microsoft, upgrade to a patched version? Oh wait, they can't.

Re:In other news...

How can a Windows 2000 user, with an OS still supported by Microsoft, upgrade to a patched version? Oh wait, they can't.

Sure they can...they can upgrade to Windows XP SP2. If they choose to stay with an older platform that's *their* decision. Fact is Microsoft's current version of Windows, which Windows XP SP2 *IS*, is unaffected by this.

Re:In other news...

It's one thing to not support an OS that is several years old and not commonly used. It's quite another to not support one that isn't and is. Many business users can't just plot XP SP2 on every machine they have because they have software that they must use which either is not compatible with XP SP2, or has not been fully tested on it.

Re:In other news...

So, they have to pay to get a working version of the software they have? That certainly seems fair! Windows 2000 is still sold and supported by Microsoft, and used in a lot of companies. They should patch it.

Re:In other news...

So, they have to pay to get a working version of the software they have? That certainly seems fair! Windows 2000 is still sold and supported by Microsoft, and used in a lot of companies. They should patch it.

How do you know that they're not? So far Microsoft has done a good job of providing patches for Windows 2000. Just because there's not a patch available yet doesn't mean that they won't make one available in the future.

Re:In other news...

No, I'm arguing with a fool who says there is a patch, and it's called SP2. I'm saying that's not a patch for Windows 2000 users, and they should make one.

Re:In other news...

[tepples]

Redhat 5.2 and Irix 6.5.11 are vulnerable to remote root exploits.

Red Hat Linux 5.x and Irix 6.x don't have near the market share of Windows 98, Windows ME, and Windows 2000, none of which can run IE SP2.

You can't blame microsoft for people not upgrading.

Yes, I can blame Microsoft for charging more than many home users can afford for Windows XP, a pre-requisite for the SP2 upgrade, and the RAM required to upgrade a Windows 98SE-spec machine to Windows XP.

Re:In other news...

No, I'm arguing with a fool who says there is a patch, and it's called SP2.

No, you're arguing with someone who says that XP SP2 is unaffected. If you choose to remain with Windows 2000 then you either have to wait for Microsoft to release a patch or you have to upgrade to Microsoft's current operating system. Either choice is *YOURS*. No one else is making it for you.

Re:In other news...

You are missing the point. He says this doesn't matter because SP2 fixes it. It does matter, to the millions of people using IE on Windows 2000. There is no patch. Maybe there will be eventually, maybe there won't be, but for now, 2K users are totally out of luck and there's no denying that this is an issue to them.

Re:In other news...

You are missing the point.

No, I'm not missing the point. The point is that older software isn't given the same priority as newer software. That's the realities of life...even outside of the computer world.

Re:In other news...

[teab+v1.0]

Define people not upgrading. We played with this at work about a day ago... my PC (WinXP, SP2, patched to date) was fine with IE, although Firefox got very confused. Opera was quite happy, and ignored the problem. The guy who bought this up was having issues. He was running Win2K, SP4, patched to date. Spot the difference.

He's quite happy running Win2K (and I'd rather do that, but don't have the option). He's up to date, as far as he can be without reinstalling his PC, and he appears to be at risk. There should not be an implied "you should upgrade to the latest OS because you are running an out-of-date one" with this. It's a problem with the browser, not a gaping hole in the OS.

Apache, too!

[DogDude]

And while we're at it, I've heard that a new bug was found in Apache 1.0!

Re:Apache, too!

[jZnat]

Apache 1.3.32 to be exact, and it was only one potentially problematic bug. They've already released .33 which fixes the problem. Don't try to troll as you phail at it.

IE users..

[Xeo+024]

To test the URL simply right-click it and it'll display the real URL, if that doesn't work right-click it and go to properties.

But your best bet would be to either update or switch to an unaffected browser.

What's worse?

[nile_list]

What's worse? IE being vulnerable to spoofed URLs because of malformed HTML, or Firefox crashing because of the same thing?

Re:What's worse?

[lightdarkness]

Firefox 1.0 RC1 isn't crashing for me when clicking the link.

Re:What's worse?

Crashing is fine. It's better than doing the wrong thing like executing the malformed code.

Re:What's worse?

I would rather have it crash instead of fooling me with no hints. With IE you get spoofed, with firefox you are only a victim of a bug.

Re:What's worse?

[asavage]

Crashing usually means executing malformed code.

Re:What's worse?

No it doesn't.

Re:What's worse?

Mods, the parent is trolling.

Re:OK, OK I will download Firefox

[lightdarkness]

FF, reformating the world, one windows box at a time.

Do they really?

[grahamsz]

Most people i know have no clue about disabling javascript - but they are also the sort that wouldn't thing to look in the status bar.

Bill Gates uses Firefox

Do you really think he uses IE?

Re:Bill Gates uses Firefox

[lightdarkness]

Not sure, but Microsoft's security manager uses it! http://it.slashdot.org/article.pl?sid=04/08/30/183 5212&tid=201&tid=172&tid=218

affected my Safari :-(

[quacking+duck]

Just tried it myself on Safari v125.9 on 10.3.5; unfortunately the spoof worked.

Hovering over the actual link showed microsoft.com in the status bar, but clicking it did indeed go to google.

However, I can click outside the link on the same line (thanks to the table spanning the entire width of the article box), and it'll go to microsoft.com as indicated in the status bar when howevering over the line.

Re:Come on people!

[electrofreak]

Actually, I have to say that installing SP2 was not a good idea, atleast in my experience. I installed it on one of my computer systems, and it didn't boot. This was just last week, so don't say I probably installed it before it was safe. I had to spend all day installing everything again and of course spend atleast 2 hours of that just getting the damn Windows Updates to make my fresh install current. I will never install SP2 again. Though, I do use firefox, and have been very happy with it because since I've started using it, I've had like no problems with the windows operating system at all.

Anyway, if we recall...

[SILIZIUMM]

Last january, Microsoft Advised to Type in URLs Rather than Click. You have been warned early, consider yourself lucky !

I haven't seen a post of this yet...

[rel4x]

<table>
<tr><td>
<a href="http://www.google.com/">http://www.microsoft .com</td></tr></table></a>

Re:Come on people!

[avgjoe62]

SP2 for what? IE 6? I'm already on SP4 for my Win 2K boxes. Or do we have to all buy XP and apply SP2 for us to brwose safely?

Re:In other news ...

I agree. I have visited this site for over 4 years now and this place has continued to go downhill. It's not just the double headlines, but trolling people with reasonable counter opinions. I think this site started out as a good idea and has done nothing since then but fall apart. Maybe they will turn control over to real objective minds with real-world IT experience.

Goatse...

[SILIZIUMM]

Too bad the original goatse.cx is down, that could be fun. "Hey Jim, check that financial report!"... At least we have mirrors...

Re:Come on people!

[lightdarkness]

When my father installed SP2 at work (even though I told him not to) His whole system crashed, and had to get an entriely new harddrive, and he had to BUY windows XP again, they wouldn't refund him! Since installing firefox, 0 spyware, 0 adware, 0 viruses, 100% satisfaction.

'Friendly URLs' ?

One of the reasons why I have 'Friendly URLs' on in IE. Anybody know if this still works with Friendly URLs on?
I'm using IE SP2 so thats why I'm asking...
For a shortcut for Google I see 'Shortcut to http://www.google.com/' rather than just 'http://www.google.com/ '
(I know when the status is changed as it will not have 'Shortcut to')

it's not a bug....

[overmeer]

Am I posting this on slashdot?, 'cause the latest from cowboyneal says Linus joined microsoft?

Nothing New

uhh people have been messing with URL's and the Status Bar for ages... nothing new, move along...

Old Mac IE

[Vale+of+Shadow]

I have a lot of users who despite gentle prodding, still use/need Mac IE of the classic and OSX variants. Is this susceptibility there as well?

Re:Old Mac IE

[Daedala]

I'm running OSX 10.2.8, fully patched. I fired up my old IE 5.2.1 (4717). The link text is www.microsoft.com and the status bar is www.microsoft.com, but the page goes to google and the URl on that page shows www.google.com.

I never did get Safari 1.0.3 to show me a status bar, so that one doesn't really matter.

Firefox 0.9 fom 6/14/04: link text is microsoft.com, status bar is google.com, page is google.com.

Re:Old Mac IE

hit Cmd-/ for safari to show you its status bar .. it's also in the View menu, I think.

Re:Here's a fun idea

[Analog+Anomaly]

hmm IE 6.1 on XP HE SP 1a... alleged exploit example on netcraft doesn't work in IE. I generally use firefox anyway. *shrugs* must be some automagic fix eminating from my slackware boxen, or one of the many things i've done with this boxen.

Right

[Safety+Cap]

We all know how you want to work for Microsoft when you graduate from high school, but Mrs. Phelps in Science said she wasn't going to pass you unless you turned in all your homework.

Man, that's like 3, 2-page papers!!! Better use 1.75" spacing and 1.25" margins and 14 point type.

It SORT OF affects SP2!

[SnprBoB86]

With my SP2 system I naviagated to http://graha.ms/iesploit.html/ and hovered over the link. This is what I discovered:

If you place the mouse on the link it shows the link will take you to google as it should, but if you place the mouse just outside the link (I guess on the table border) it says microsoft. The kicker is, that when it says Microsoft, clicking the link will not do anything.

Safari goes to wrong place

[goynang]

Safari goes to the wrong URL too.

Just tried the demo and ended up at Google rather than where the link looked like it should go.

Damn!

Re:Safari goes to wrong place

[LiquidCoooled]

Be thankful it goes to the wrong place.

What you were doing clicking on a Microsoft link in the first place I dunno. ;)

Re:Safari goes to wrong place

[siriuskase]

but if you click further to the right, it goes to microsoft, so be careful. I'd never been to the microsoft website before, so now I don't not what cooties I've picked up.

Re:Safari goes to wrong place

[burns210]

Firefox 0.9.3, win xp sp1.

Clicking the link takes me to Google.com, the status bar says Google.com also.

Non-standard HTML

I wonder how much easier browser developers' lives would have been if MS and Netscape had decided early on that invalid HTML, such as these links, would not be rendered.

A guy can dream can't he?

Konqueror unaffected also

[c0p0n]

Konkeror on KDE 3.3.1 draws a transparent table (the one faked on the link) around the link, being both (the link and a small space outside the text link) clickable, but with different destinations. The resulting window (either google or microsoft) has no spoofed url.

shock horror

this is what porn sites have been doing for years, for those who want the secret here it comes

<a href="http://google.com" onclick="self.location='http://microsoft.com';retu rn false" onmouseover="top.status='http://google.com';return true" onmouseout="top.status='';return true">click here</a>

works on all browsers with JS capabilities by default (even webTV)

jerks who submit stories like this seem to be the only ones doing the exploiting

Re:shock horror

This doesn't require Javascript. Some people turn Javascript off expecting to avoid these sorts of things, and now they can't.

Why report the bug if it's been fixed?

The bug apparently affects IE and Outlook Express up to but not including SP2

Why report the bug if it's been fixed?

Re:Why report the bug if it's been fixed?

Not everyone uses Windows XP. There is no patch for Windows 2000 users.

Oh I'm so scared

[g_bit]

You spoofed my *status bar*, you're so evil.

CowboyNeal is a big dork who can't stand the fact that Microsoft rulez him.

Table...

[Poltras]

95% of IE bugs come for table management (too much nested table and it comes up with unknown error, padding and margin, css incompliances, etc etc)

And still 87% of population uses IE 5/6. So like my roommate told me, developpers know FX is better, but we still have to be compliant with IE. Hopefully with the ad coming this may change (though with the predictions of 10% of market be end of 2005 we might design for IE for still the next decade?).

Table being disabled here, At least we cannot do it on Slashdot... and have goatse spam of a new nature.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Status bar?

[FearUncertaintyDoubt]

I can see how this is a bug, and should be fixed, but how big of a security risk is it really? I think anyone aware enough to look at the status bar will probably look at the address bar in the browswer, which will show the real URL. So, yes, the status bar spoof might get someone to click, but they can't spoof the address bar, and a phishing scam would fall apart at that point.

You might as well say that links themselves are a security risk, since a link that says "Microsoft Web Site" but really goes to goatse.cx is a dangerous spoof.

Re:Status bar?

What if a spammer is trying to verify working email addresses? He can craft a nice looking email that appears to be Microsoft, has a link to Microsoft.com (which gasp, shows up in the status bar) and gets people to click that way? By the time you've clicked and can see it in the address bar, it's too late. He knows your email address is valid.

Re:Status bar?

[FearUncertaintyDoubt]

Maybe, but in Outlook, there's no status bar anyway, so you have to click links blind.

Re:Status bar?

It affects Outlook Express, not Outlook.

Re:Status bar?

[pipingguy]

a phishing scam would fall apart at that point.

Unless the URI is obscenely long as is often seen with many dynamically-rendered sites.

http://it.slashdot.org/comments.pl?sid=127762&op=R eply&threshold=3&commentsort=0&tid=113&tid=128&tid =172&tid=1&mode=nested&pid=10673301

On a 19" screen at 1280x1024 the end of this falls off the address bar.

Re:Status bar?

[tonywong]

Think more creatively. Suppose I wanted to infect a person's machine or otherwise. You could spoof them to go to microsoft.com for an update and instead they go to a site that contains the GDI exploit bug, or itself is a direct download to the mac rootkit. Or when full 2-byte domains are allowed, domains like mícrosoft.com can fool many people.

retro web surfing

what ever happend to Gopher sites and browsers?

This is what Slashdot makes of the sample code

[Dr.+Spork]

Click here

Was originally:

<a href="http://www.microsoft.com/"><table><tr><td><a
href="http://www.google.com/">Click here</td></tr></table></a>
</html>

onMouseOver?

[jonr]

Big. Farking. Deal.
Haven't these dorks heard about javascript's onMouseOver? Just go to fark.com and hover over the links.
Neither works in FF, however! :)

Re:onMouseOver?

[gnu-sucks]

I was waiting for someone to say that.

I've used that on web sites I had in 1997? Its been a while, but this is nothing new. Its a new way to do the same old tricks. And it only works in an old browser, and Safari.

Sadly, this is a minor problem.

[argent]

Spoofing bugs are not good, and there's a lot that should be done to fix spoofing, but it's the cross-zone exploits that we really need to worry about. See, 95% of the real security holes in IE come from "security zones". And .NET is just going to embed this design flaw deeper in Windows.

I'll accept screwed up tables if they'll just back out the damn Windows-Explorer integration.

Re:Sadly, this is a minor problem.

Man, I wish I could mod you up. This problem concerns me, as well. What can we expect from longhorn, regarding cross-zone exploits?

It effects Firefox too

[DigitalTechnic]

I'm running RC 1 and I see microsoft but it goes to google. But if you look at the source the HTML code is wrong anyhow. Why would you close the anchor tag outside of the table if you put the starting anchor tag in the table. Someone correct me if i'm wrong, please.

Re:It effects Firefox too

[lightdarkness]

You are reading it incorrectly, the status bar says the true url. I'm running RC1 with no problems.

Re:It effects Firefox too

Why would you close the anchor tag outside of the table if you put the starting anchor tag in the table.

The point is not that the code is wrong. The point is that someone who intends to phish unsuspecting users can relatively easily do so.

What the?

[rampant+mac]

According to Netcraft...

So, does this mean IE is dying? I'm confused.

Firefox 1.0RC1 **IS** affected

[Ark42]

Change the html from
<a href="http://www.microsoft.com/"><table><tr><td><a href="http://www.google.com/">http://www.microsoft .com</td></tr></table></a>
to
<a href="http://www.microsoft.com/"><table><tr><td><a href="http://www.google.com/">http://www.microsoft .com</a></td></tr></table></a&gt ;

(sorry, Extrans mode is breaking the last </a> for some reason there)

and you will notice the status bar says microsoft.com, and clicking it goes to microsoft.com, but middle click for a new tab, and you get google, not what the status bar says!

Re:Firefox 1.0RC1 **IS** affected

[Deviate_X]

That didn't work in my 1.0PR (Win) but this did:

<a href="http://www.microsoft.com/" onclick="location.href='http://www.google.com/';
return false">
http://www.microsoft.com
</a> ...

Re:Firefox 1.0RC1 **IS** affected

What you typed is a well-known javascript spoofing method. Turning off javascript (or even just disabling the appropriate scripting preferences in mozilla or firebird, as any knowledgeable moz user does) kills this method completely.

The topic at hand is supposed to be effective even when javascript is turned off completely in any of the affected browsers. That's the kick about this bug.

Re:Firefox 1.0RC1 **IS** affected

[JPriest]

So Firefox is affected and IE SP2 is not. This story is just more MS bashing FUD.

Re:Firefox 1.0RC1 **IS** affected

[FuzzyBad-Mofo]

Which is exactly the reason Mozilla/Firefox offers the option whether or not to allow Javascript to control to status bar, something that's been available for ages.

Re:Firefox 1.0RC1 **IS** affected

But it's broken. If you disable it, it never shows anything in the statusbar!

If a script tries to change it, that is.

Re:Firefox 1.0RC1 **IS** affected

[Slime-dogg]

But that isn't controlling the status bar. What it is doing is intercepting the click before it gets to the "A" element, and telling the browser that the "A" element wasn't in fact clicked.

After it intercepts the click, it then sets the document's location to something completely different from what the href said. Yes, disabling javascript will eliminate this problem, but a lot of sites won't work without javascript.

Re:Firefox 1.0RC1 **IS** affected

[FuzzyBad-Mofo]

Oops, you're right. I thought the parent was doing the good old [onmouseover="window.status='blah'"] thing. Gimme a break, it's Saturday.. ;)

Re:Firefox 1.0RC1 **IS** affected

[Ark42]

Make sure you are pasting it right since slashdot inserts random spaces all over the place.
http://www.microsoft .com has the same problem as well, as does any block element, span and inline elements show no issue for me. It only effected control+click or middleclick for open-in-new-tab for me, on 1.0RC1 (I don't have 1.0PR anymore)

Of course, the onclick thing is just as bad really, and may be harder to fix, since it can be quite common to have the href="javascript:;" or href="#" and valid non-url-redirecting javascript in the onclick event.
Personally, the status bar should just show the contents of the onclick parameter that will execute when clicked, or the href, which ever is really going to be executed. Or at least the words "Javascript Code" in place of the onclick contents.

Re:Firefox 1.0RC1 **IS** affected

[Ark42]

*sigh*
I meant:

<a href="http://www.microsoft.com/"> <div><a href="http://www.google.com/">http://www.microsoft .com</a></div></a>

Re:Firefox 1.0RC1 **IS** affected

[Commander+Trollco]

Of course, this could be taken as yet another argument against javascript and java(and don't give me any bullshit about them not being the same, you are missing the point).
The fact is, having ANY client-side scripting is dangerous, and can only lead to security issues. Most of the legitimate functionality provided by js is ugly and less-than helpful crap anyway. Not to mention annoying hovering ads, user-agent checks that will disable some websites for some browsers, the copying of your clipboard buffer, and useless eyecandy that is better described as eyecancer.
I currently only enable javascript for gmail and to test new versions of lastmeasure. Hopefully gmail will eventually be rid of it; lastmeasure on the other hand is intentionally malicious.

Re:Firefox 1.0RC1 **IS** affected

[loconet]

I can confirm on Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20041001 Firefox/0.10.1

Re:Firefox 1.0RC1 **IS** affected

[loconet]

https://bugzilla.mozilla.org/show_bug.cgi?id=26693 2

Re:Firefox 1.0RC1 **IS** affected

Yes, disabling javascript will eliminate this problem, but a lot of sites won't work without javascript.

I like to try to keep to the jwz site filtering method.

Re:Firefox 1.0RC1 **IS** affected

[Cee]

Not to mention annoying hovering ads

You can do that with CSS.

user-agent checks that will disable some websites for some browsers

That's usually done on the server side (even though it's possible to do it with JavaScript as well).
And also, if we didn't have JavaScript, what would we have instead? ActiveX all over the web? Just Flash?
Plain HTML? (I doubt that)

Re:Firefox 1.0RC1 **IS** affected

Plain HTML would suit me just fine. Let webpages be what they should be: Text, formatted in a way that fits different screens.

Re:Firefox 1.0RC1 **IS** affected

[9-bits.tk]

actually, no. My copy of FF 1.0RC1 shows google.com in the status bar. After examining the code I have seen FF is not vulnerable.

Re:Come on people!

[secolactico]

That's nothing. *My* father installed SP2 against my recommendation, and the next day a burglar broke into his house and stole most of the silverware!

Since installing firefox, nobody has broken into his house again.

Originally posted on slashdot

[the_mighty_$]

Acutally, this originally posted by Benjamin Tobias Franz to bugtraq on Oct 28th:

http://www.securityfocus.com/archive/1/379764/20 04 -10-27/2004-11-02/2

Thus the credit goes to Benjamin, not Netcraft.

What?!?!

[comwiz56]

What? Old versions of software have bugs? Even Microsoft programs? Whoa! This is like, the biggest news since, that story about what your Linux distro says about you.

Re:What?!?!

I've heard that IE 4.0 have some security flaws! oh the HUMANITY!

Another argument for NOT rendering bad HTML

[eu4ik]

From the article, "The flaw is possible because Internet Explorer has difficulty processing improperly formed HTML". If browsers had been pickier from the start, and refused to try to render improper HTML, perhaps we wouldn't see this sort of bug so often. Of course, now everyone expects to be able to view sites no matter how bad the code, so a 'correct' browser wouldn't be popular. Maybe browsers should start flagging improper HTML as a security risk; might actually get some people's attention.

Re:Another argument for NOT rendering bad HTML

[The+One+KEA]

Well, not as a security risk - but you could write a Mozilla/Firefox extension that could change the URL bar colour on sites rendered in quirks mode, or popup a dialog box whenever a quirks mode page is entered by the browser.

Re:Another argument for NOT rendering bad HTML

[DeepHurtn!]

Oh no...! Does this mean my browser would warn me every time I come to Slashdot?

Re:Another argument for NOT rendering bad HTML

[mattyrobinson69]

hmm -how feasable would it be to write firefox plugin to detect bad code (using the w3c tool or something similar), do a whois lookup, email the webmaster saying "your website contains invalid html [link], fix it", or something along those lines (obv this wouldn't work for tripod and stuff like that, but maybe using a blacklist, blocking tripod, geocities, etc?)

any ideas?

somebody who cares about proper html, please write this, i'd use it at least (although im guessing coyboyniel would get lot of emails [just a guess])

So, we're searching for bugs on old versions now?

Ok, hate microsoft, etc etc... but this is ridiculous. you see, previous versions of mozzila (whitch I use) have bugs too, and security flaws. report them too!

Proven repeatedly, notions reinforced this week:

MS, W are both antithetical to security.

Just like /.

[kuzb]

Why are we ever talking about this? It has already been patched.

Re:Just like /.

[The+One+KEA]

Because like it or not, SP2 has not been installed by many XP users.

Not to mention the fact that this bug most likely affects MSHTML as a whole, which means that it may appear in all IE versions before SP2 as well. Being able to spoof links like this in all major versions of IE before SP2 is highly dangerous IMO.

Re:Just like /.

"It has already been patched."

No it hasn't.

SP2 is only for XP, the latest MS OS. This effects users who have applied all patches to W2K etc.

Is this really "url spoofing" ??

[MaGGuN]

When I first read "url spoofing", I immediatly thought that this was about spoofing the address displayed in the address bar. This is at least what I have always considered as url spoofing. I figure that "link spoofing" is something that is more descriptive, but knowing the slashdot community this is gonna be bashed quickly. Anyone have a definition of "url spoofing" if this even exist?

Re:netscape 7.2 for win32

[GarfBond]

Netscape 7.2 is basically Mozilla 1.7(.1?) with AOL addons and ads.

Re:Come on people!

[0123456]

"Actually, I have to say that installing SP2 was not a good idea, atleast in my experience. I installed it on one of my computer systems, and it didn't boot."

Yeah, same here. I installed SP2 on two computers at work last week: one works fine, the other wouldn't even boot after installing. The only choice was to uninstall SP2 and stick with SP1.

It's absolutely retarded for a company to release security fixes for a bloody _WEB BROWSER_ that require you to upgrade the entire operating system.

Tricks Safari :-(

[siriuskase]

<a
href="http://www.google.com/">http://www.microso ft .com</td></tr></table></a>

displaying http://www.microsoft.com in the browser, but sending the user to Google.

Is it the <table> that does it or the nested <a> tags?

Re:Tricks Safari :-(

[siriuskase]

http://www.microsoft .com

Has an unmatched *a* tag, that's interesting. But see how slashdot lets you know what's going on (if you have Display Link Domains turned on).

How ironic

[ptlis]

IE's ability to parse anything meant it survived the problems which caused both Opera and Firefox to crash has also made this nastiness possible...

Confirmation of Safari Vuln

[DonnarsHmr]

Though another poster claims Safari isn't affected by this, I was able to replicate the vuln in Safari 1.2.3 (v125.9). So it appears that the other posters are incorrect. Firefox is unaffected, Internet Explorer show 'http://www.microsoft.com' when the cursor has changed to the link finger but shows 'http://www.google.com' when the cursor is over the link text. Opera for Mac displays the same oddities as IE. OmniWeb for Mac also does this, however, the space in which is displays the spoofed address is only about a pixel wide. Strangely, lynx didn't seem to have much to say :)

Re:So, we're searching for bugs on old versions no

[0123456]

"previous versions of mozzila (whitch I use) have bugs too, and security flaws. report them too!"

But, unlike IE, upgrading Mozzilla to fix the bugs doesn't require you to _UPGRADE YOUR ENTIRE OPERATING SYSTEM_. You see, Mozilla is written by sane people, who don't think it's a sensible idea to wire a web browser deep into the operating system.

How do you find something like this

[ManuelKelly]

Is something like this discovered by accident, or is some poor person sitting at a desk coding weird html all day to see what happens?

Re:How do you find something like this

[archen]

Knowing HTML isn't something just for geeks. Anyone who has spent a lot of time coding HTML by hand probably finds all sorts of weird quirks like this - typically just by chance. I recall back in the IE4/NS4 days when I was trying to get something (I think it was the font tag) to look the same in both browsers. By accident I found that if you made the same attribute twice that Netscape would use the first, and IE would use the second. I'm sure people uncover this stuff all the time, but most just fix the qurik or ignore it.

Re:How do you find something like this

Yeah, I spent a lot of time trying to trick those free webservers into not showing the ads, before I got a dedserv. This was newbie days, here. But, even with my limited knowledge of CSS, positioning, Javascript and the like, I managed my way around all of them.

As for URL spoofing, I always wanted to do some of that. Tried for some time, but never got Yahoo.com to show up in the address space. hat would have been cool.

Purely, for educational reasons of course.

=]

This isn't a new bug...

[nocotigo]

I think we are looking at this from the wrong perspective. This is not another flaw in Internet Explorer. The flaw in IE is the design from the ground up. This is just another in the long list of completely related flaws in the browser. They need to just give up on patching and rewrite the damn thing, and use Gecko as the engine ;)

Yet again, slashdot is FoS

Pre SP2...so if a user fails to update, it is MS's fault...so all those linux errata pages concerning root vulnerabilities, ssh, KDE, Gnome, are OK???

Grow up Slashdot editors!!!!

1) STOP THE FUD!
2) Try placing the same blame on exploits to linux for each flaw it has.
3) Show me that the majority of the linux users can rewrite their source code, before using the opensource argument (we all know they can't, and recfging the kernal, or compiling it again is not the same as rewriting it to fix the freaking flaw!)
4) Stop acting like politicians, spouting bullshit bashing instead of actualy saying something useful, or constructive.
5) Go whine in the corner again about the evil FOR PROFIT corp (MS). Then ask yourselves, if all the code was free, who the fuck would want to work in IT, since they couldn't make a living writing the code, setting up the networks, because it was all free...(this isn't the 23rd century StarTrek universe, people actualy have to PAY for the basic needs...). We won't even get into the mess the massive proprieteary code written for free, would cause in compatibility ...

Re:Yet again, slashdot is FoS

Shhh...you're making too much sense. You could blow the minds of the hypocritical whiny bedwetters around here...

Everything involving MS has a spin, a FUD factor, and an agenda here. Thats the way they like it and it won't change.

Re:Yet again, slashdot is FoS

Pre SP2...so if a user fails to update, it is MS's fault...

It is when they don't make the same fixes available to their other operating systems... Windows XP Service Pack 2 fixes only work on Windows XP, believe it or not.

Re:Yet again, slashdot is FoS

duh, geee, thanks for the enlightenment there...

MS has had notices out about this, but I still don't see the same concideration from ANY Linux distro on their bugs. No phone support numbers (unless they [gasp] pay for it, and pay dearly for the hour apon hour of talking them through each step, for weeks....day after day...)

Sure they can post an errata, but does that get the bug fixed if the user is not the admin, or knows how to compile it into the system, or worse, doesn't bother to patch it (it is the Linux distro's fault then for writing the bad code).

Tell you what slashdot, how about some post about the free work and support done ONSITE for a few million users to get those users onto linux...well, put up or STFU with your childish bashing.

The more of the 'it should all be free' morons that post, the more money I make supporting the masses, for MS and Linux, because I charge ppl for my services. Since slashdot proclaims to be for the 'free' stuff, start providing it, onsite, inperson, without payment of anykind, and teach each and everyone of the users how to program an OS in a couple of hours....(program, not compile a cfg, I mean write each and every line of code, so they can read it and correct the mistakes made before they [gasp] compile a known hole into the kernel, as so many have been doing for years...)

yaaa, thought that would make you think for a sec, but now the hate and bashing syndome must be kicking back in, so yet again, you will revert to the childish antics as a typical slashdot editor/mod/subscriber, and ignore the truth, so you can spout off hate like the KKK and other hate groups of the world [pathetic]

How about doing something constructive instead...geee now there is a new idea to slashdot...

Re:Yet again, slashdot is FoS

I hate to break the news to you kid, but some people are never going to update to SP2. Pick any one of the following reasons:

1) Old hardware runs even slower under SP2, making people less productive, to the point of turning a useful machine into the functional equivalent of a 286.
2) Old software has compatibility issues under SP2
(since nobody makes SP2 updates for old products, the choice is either pay a crapload of money and upgrade to the latest version - hoping that the tasks you did under the old software are even still possible with the new version... or not install SP2. Guess what beancounters are going to go for?)
3) Old software has compatibility issues under SP2 and has been discontinued completely, so updating is not an option
4) Old hardware can't work properly with SP2 due to driver issues. Since it's old hardware, nobody's releasing updated drivers.

The list can keep going from there, but the issue isn't like you're painting it out to be - your viewpoint appears to be "Update you stupid jackasses! Nothing is going to break! Everything will be secure!"

Basically what companies/people have to do with SP2 is backup their system, then upgrade, and see what's broken. Then, depending on how severe the problem is, either spend money to fix the issue (nothing like having to buy a completely new system just to run a service pack!) or - if money won't fix it or if the cost is prohibitive - roll back to SP1.

Note that uninstalling SP2 is not as simple as just uninstalling the SP. It updates other components, which stay updated after uninstalling SP2, and those updates are often the root cause of problems with SP2. Better keep a system restore point around and pray to god that XP doesn't overwrite that restore point before you realize how screwed you are under SP2.

When you make the massive array of changes as MS did with SP2 (going from half-assed programming to mostly-whole-assed programming, with a substantial performance & compatibility penalties because Microsoft is finally doing many things the right way), you Microserfs can't whine about people not updating. When mission critical tasks are broken by simply installing SP2, running SP2 is not always an option. We have work that needs to be done. That work takes precidence over your whining about SP2 installs.

Re:Yet again, slashdot is FoS

Constructive? Would that be anything like...

Volunteering your time to reverse engineer all the software broken by SP2? Couple years there and you might actually get Quark running properly.

Volunteering your own cash so that people whose systems are turned into slugs by SP2 can buy new systems and be productive again?

The list is endless! You've got quite the idea in your noggin'. Hey everybody! Upgrade to SP2! This Microsoft fanboy is volunteering time and money like it's never going to end!

Or, wait. You couldn't be suggesting that people bite the bullet, upgrade to SP2, have their systems turn into unresponsive barely working hunks of crap, and then have to buy all new software and hardware just so they can run SP2?

You can't break such wide swaths of hardware and software, then whine about why people aren't upgrading.

DRTFA

[grahamlee]

According to the article, Safari is affected. The Safari on my system (1.2.3 (v125.9)) is not, and that's up to date.

Re:DRTFA

[siriuskase]

I have Safari 1.2.3 (v125.9). It is affected.

It's kinda cool how if I click on the url, it goes to Google, if I click next to it, it goes to Microsoft. Surely, there's a practicle use for this (other than phishing).

OT Webserver Search

[Dr.+Cody]

Did anybody see the interesting example Netcraft gave for their webserver search?

Violates HTML4 ref

[mystik]

http://www.w3.org/TR/html401/struct/links.html#ede f-A

According to the HTML4 ref @ w3, putting a table inside of an anchor-tag is illegal. Only inline tags may reside there, and a table is a block-level tag.

Since ths means the browser's behavior is undefined, I hope they come up w/ a better fix ...

Re:Violates HTML4 ref

Obviously attackers don't care if something is valid HTML or not, but there is an important factor in this. A browser would normally encounter the opening table tag and end the link there. The reason why browsers can't do this is because there is so much crappy HTML on the web that they need to jump through all kinds of hoops to get the crap to display. If there wasn't so much crap, the Internet Explorer parser would simply close the a element at the beginning of the table and not be vulnerable to this.

trick to download a trojan

[davidwr]

If I can trick you into visiting download.trojan.here.com because you think you are going to www.microsoft.com, that's all I need.

Why this is a big deal.

[twitter]

I think anyone aware enough to look at the status bar will probably look at the address bar in the browser, which will show the real URL.

Tinyurl has lots of good examples of how the astute user can still be burnt. If the status bar shows "microsoft.com/whatever/whenever" but the actual site has the usual garbage, the user will not be clued in. Indeed, the user may not even be able to see the root of the site through the three thousand character url which so many legitimate sites generate.

Your example is trivial and misses the potential of the exploit:

You might as well say that links themselves are a security risk, since a link that says "Microsoft Web Site" but really goes to goatse.cx is a dangerous spoof.

How about a link that says "citibank.com" in an email and on your status bar that tells the recipient that they should log in to check for suspicious activity? The user goes to the bogus site, which may have valid certs and make the little lock appear and looks just like the citbank site. The user then gives the sender their citibank name and password without thinking twice about the random character url they are confronted with because it's what they are used to seeing. The sender then cleans out the user's account.

A status bar that works is an important part of preventing that kind of fraud.

Re:Why this is a big deal.

[FearUncertaintyDoubt]

A status bar that works is an important part of preventing that kind of fraud.

If it's so important, why does Javascript allow you to put whatever you want in the status bar? Anyone can easily override the default behavior without an "exploit".

Re:Come on people!

[Xformer]

That, and financial sites that are supposed to be secure, but will only work with IE. The reason? JavaScript bugs that are easily fixed, but not high on their priorities.

Does the exploit affect the Slashdot URL parser?

[anamexis]

What if this affected the domain Slashdot displays after every link? Lets find out:
http://www.microsoft .com
Apparently not, but strange nonetheless.

Once again, XP SP2 is unaffected by new exploits

Using the current version of Windows and IE, with XP SP2 and fully patched IE, this thing does not work. Proving once again how much effort went into designing XP SP2 to guard against new, unknown bugs and exploits.

MS *is* serious about security - after all these years they finally got the message.

Re:So, we're searching for bugs on old versions no

[man_ls]

shdoclc.dll is the mshtml rendering engine.

Benefits of having the rendering engine be a part of the OS:

Any application can hook into the rendering engine and use it for HTML rendering. LOTS of applications embed the shdoclc control into their main panels and use it for navigation, etc. It's trivial to do this, and it means it's a lot less work for people to do.

Downsides:

Any vaunerabilities that are discovered in the engine, will effect all the apps that call it.

Internet Explorer is a "front" for the engine. So is MyIE2 (with some other features thrown in there.)

Integration isn't as bad as you think it is.

Re:Come on people!

[Ziak]

I can second that, our whole miltary here in Cherry Point, NC uses IE ....except for me who installed firefox, just recentally after having to reload a computer from spy/malware i just started showing them firefox, alot of them after have come up to me go I love firefox where can i get it for my home machine?

Re:Once again, XP SP2 is unaffected by new exploit

Or they were aware of it and didn't make it public...

Will this spoof Bess blocking?

Will this allow you to go to blocked sites with n2h2 bess blocking software, like at schools or libarys?

Don't know what you're talking about

[ArchieBunker]

The latest version of IE6 on win2k is not affected. Updates for win2k are still being produced, whats your problem?

SP2 and Firefox

[gad_zuki!]

Yep. I am a big firefox evangelist for windows, but SP2 is the Firefox killer in many ways.

That said, there are lots of 98 and 2K installations. There are lots of XP people sick of spyware or are curious about tabs, handy extensions, etc. Or at just worried about security. Computers arent these things in our living room anymore, they are our central digital hub. They have our work, photos, taxes, etc on them. Using IE is like driving drunk. Lots of XP users are slowly coming to realize this.

The really great part about this is that microsoft's incompetence will help the responsbile online community promote real HTML standards. No more "you need this to view that" nonsense. With pages working on mutliple browsers we can edge into better mobile browsers, lower cost to entry, break the digital divide, promote other OS's, etc and show Microsoft that from now on there will be a front to fights its Embrace, Extend, and Extinguish business plan.

Re:Come on people!

'firefox source is available, so people can look through it for bugs

and just how many regular users in the owrld can read and write the fucking code?!?!?!?!?!

that argument is so fucking old and tired it is pathetic!!

STFU with the bashing, stop acting like all users are CIS Masters (most can't understand what the difference is between left and right clicks). try acting like adults for a change slashdot! Stop the childish bashing, stop the lies, acknowledge the flaws in your favorite OS (linux) and get it through your damned heads, that the majority of the worlds users are not made up of IT-nerds, most are not able to read and correct code, so it is the FAULT OF THE LINUX CODERS IF THERE IS A LINUX BUG! (same criteria as you give MS)

Re:Come on people!

[wo1verin3]

>> Or do we have to all buy XP and apply SP2 for us to brwose safely?

Just download Browse Safe 1.0

Re:Come on people!

[pipingguy]

"Lisa, I want to buy your rock." -Homer Simpson

Re:Patch - Breaking News

[izakage]

Netcraft Confirms! IE is dying!

Javascript?

Couldn't this exploit be duplicated on any browser with JavaScript enabled by using the Javascript code window.status = "theURLYouWantToShow" attached to the element for that link? I haven't written JS in a while, but I remember it was certainly possible to change the statusbar text on mouseover..

Re:Come on people!

Actually, more bugs are being found in Firefox than in IE right now. BUT, the firefox source is available, so people can look through it for bugs ...

Firefox source has been available for how long? People have been looking through it for how long? And the result is more bugs in Firefox than in IE?

Is there something fundamentally wrong with the arguement? Is no one really looking through the code for bugs?

This type of bug has been known for some time, MS patched it but Firefox didn't. Why is that?

Not everybody can run XP, you insensitive clod

[tepples]

It's news because firms are still on hardware and/or software certified to work with a legacy app, and home users with small budgets run outdated hardware and/or software because they can't afford an upgrade. Because Microsoft has begun the end-of-life process for Microsoft Internet Explorer on versions of the Microsoft Windows operating system prior to Microsoft Windows XP, this bug may prove unfixable in all versions of IE that are designed to work on Microsoft Windows 98SE, Microsoft Windows ME, Microsoft Windows NT 4.x, and Microsoft Windows 2000 operating systems.

Mac OS

[aidbo]

Ironically, this exploit doesn't work on my old work mac using os 8.6, and Internet Explorer 5.0. I guess sometimes simplicity is the easiest security?

Test page

[AstroDrabb]

I put a test page up. There are two spoof tests on the page. The latest version of Firefox is not affected by either of them if you left click the link. However, if you middle click the first spoof test, Firefox takes you to the wrong site.

Re:Test page

[Zathras26]

I tried this with both Safari and IE under OS X. In Safari, when I hovered over each link, the status bar showed both links as Microsoft. When I clicked the links, I went to Google, and the address bar showed Google.

In IE, when I hovered over the links, it showed the links as Google and behaved the same as with Safari when I clicked on them.

Very, very weird...

Re:Test page

[Zathras26]

Per the comment of another user in this story, I tried hovering over the white space next to each link in Safari, and the status bar showed a link to Microsoft. Clicking the white space takes me to Microsoft. IE doesn't show any link at all there, but it does strange things with most of the rest of the text -- it underlines most of the page in blue, implying that it's a link, and it even shows it as a link in the status bar, but if you click on any part of the underlined text, the underlining disappears -- but only for a few words. The rest of the underlining stays.

Re:Test page

[AstroDrabb]

It is not really a _big_ security risk. It basically can just hide where the link will really take you. Once your there, you can see in the URL bar what site you are really at. URL address bar spoofs are more of a security risk since they hid the real address from the user. That is what made some Joe Users think they were at CitiBank, etc.

The only thing this could be used for would be to send a user to a p0rn site without them knowing.

Re:Test page

[artMonster]

Why would it not also be possible to send the user to a site that appears to be CitiBank but isn't? ... I have seen some incredibly well done spoof sites...

58/25

[westlake]

W3 Schools suggests it is about 58% XP, 25% W2K. Browser and Platform Statistics Win 98's share is 6%, Linux 3%, the Mac 3%.

Looking at these numbers, migration to alternative browsers may have peaked before the release of SP2.

Very minor

[Jesus+IS+the+Devil]

This type of bug is very minor. I never trust what the status bar says on mouse-over of a link. With a little bit of javascript, it's easy to have it say whatever you want. Many sites already employ this. All it does is annoy me.

The bottom line is, once you land on the site, what does it say in the address bar and the status bar then?

One other thing, be careful of misleading domains that replace "1" with an "l" or vice versa.

Already seen this on livejournal

[Billly+Gates]

The a href for userinfo's have .exe's in them and if you click the link on IE the second a href tag will open the executable.

Interesting...

[pen]

I'm using a slower computer (Pentium 200 MHz), and when I hover the link, "http://www.google.com/" appears on the status bar for a split-second, before being replaced with "http://www.microsoft.com/". It appears that IE is tracing down the document structure tree and setting the status bar twice.

Re:Here's a fun idea

"this boxen."

Incorrect agreement between demonstrative and noun. YOU FAIL IT!!!!!!!!!!!!!

Re:Come on people!

[Hognoxious]

It's absolutely retarded for a company to release security fixes for a bloody _WEB BROWSER_ that require you to upgrade the entire operating system.

The web browser and the operating system are the same thing! Don't you remember that M$ said so? In court. Under oath.

.Not as secure as IE

.Not sucks

Gmail

[kai.chan]

Speaking of tricking others, someone can very well use this spoofing bug in conjunction with the Gmail cookie problem.

Re:Come on people!

>Actually, more bugs are being found in Firefox
> than in IE right now. BUT, the firefox source
> is available, so people can look through it for
> bugs,

Whoops. You've just shot down the whole OSS theory. FireFox should never have more bugs being found than IE, BECAUSE people have spent so many hours looking at it (which, even though it's been publically available for months, even years, nobody has). The REALITY is that open-source or not, it's still prone to the same old bugs, and the software life cycle continues as normal. How do you guarantee that anyone looks at it? Just because you can doesn't imply that you do.

What does the URL bar on the google.com tab say?

[catscan2000]

The primary issue in pre-XPSP2 IE is that when you click on the link, the URL bar says http://microsoft.com while the site is really http://google.com. Changing the status bar's text has not been seen as a major security issue historically, and Mozilla/Firefox lets you prevent web sites from changing the status bar.

In any case, the URL bar should be authoritative for where you are, which is the issue in pre-XPSP2 IE.

Re:What does the URL bar on the google.com tab say

[catscan2000]

Oh, shoot! I retract that.

I re-read the article and saw that it's a status bar issue after all.

I don't trust the status bar, and I don't see how this is really a big security issue. Besides, phishers are already using e-mail messages with embedded images that have http://citibank.com in the image but link to http://10.83.94.2:893, for instance.

So, I wouldn't hold my breath on Microsoft fixing this issue as larger issues out there already exist. But, I do agree that any security issue should be resolved, regardless of how minor.

Come to think of it, phishers can possibly use the image trick combined with this vulnerability to make the status bar say http://citibank.com, where this vulnerability can become quite serious.

Perhaps we should encourage users to check the URL bar of sites that they are in?

Re:So, we're searching for bugs on old versions no

Stop repeating ythings you've simply read on a web frorum written by some clueless monkey. Read up on it and you'll, maybe even TRY a little yourself and you'll see IE isn't really deeply integrated. Plus it is useful for it to be interated (as APple reazlies with WebCore)

BTW, I wish Mozilla WAS wirtten by sane people, because htey apparently don't believe in patches, only full point upgrades for security fixes.

First one worked for me, second didn't.

First one worked for me, second didn't. I'm running Linux, using Firefox 1.0RC1. This is the one that worked:

<a href="http://www.microsoft.com/"><table><tr><td><a href="http://www.google.com/">http://www.microsoft .com</td></tr></table></a>

Why do we still have these bugs?

I really don't understand why we still have URL spoofing bugs. Here's the idea:
The browser sends you to a page - The right page. If the browser is going to load a particular URL, then it KNOWS the URL it's going to load - so why doesn't it just display the same URL it connects to? These spoofing vulnerabilities make little sense. If it's stored in a buffer somewhere, copy it safely with length checking to another buffer and display it safely; it can't be that hard.

I don't understand!

I don't understand! How could anyone have discovered this flaw in IE?

It would have required someone actually RUNNING IE - and here we all thought no one was so STUPID anymore!

This is a true paradox - maybe the story is made up (fabricated)?

Why would anyone still be running IE anyway!

Please do not feed the troll.

[jcuervo]

Who the hell modded that up?

Re:Please do not feed the troll.

The answer is simple: Microserfs.

ie...

[zxflash]

didn't know anybody was still using ie...

IE Hole

[aniakovas]

This is really a non-story. There are 50 different ways to spoof this, mostly javascript I'll admit, but you could also open multiple links from a url on the page, and inconvenience and confuse even the most experienced user so much that their only option would be to shut the whole thing down.

Use something like Maxthon as a wrapper for IE and you'll all be much safer. Notice the comparative, you cannot be absolutely safe.

Is Konquerer Affected as well?

[ByteMangler_242]

I just got the exploit to work on 10.3.5 and Safari 1.2.5

I have no access to Konquerer, is this a KHTML engine problem, or a Safari-only one?

Re:Come on people!

[Sputum]

*blink*

Now, here in Australia at least:

Malware + Military Bases = Bad News

Don't you think?