Slashdot Mirror

← Back to Stories (view on slashdot.org)

New URL Spoofing Bug in Pre-SP2 IE

Posted by CowboyNeal on from the reasons-to-upgrade dept.

An anonymous reader writes "According to Netcraft a new security flaw has been found in Microsoft Internet Explorer which makes it possible to spoof a URL with just some simple HTML code, by enclosing two URLs and a table within a single href tag. The user will be sent to one site, but the status bar will show a fake URL. The bug apparently affects IE and Outlook Express up to but not including SP2. Firefox and Konqueror seem unaffected."

14 of 266 comments (clear)

  1. Comment removed by account_deleted · · Score: 5, Informative

    Comment removed based on user account deletion

  2. Safari is affected also by dereklam · · Score: 5, Informative

    This exploit also affects Safari 1.2.3 on Panther.

    1. Re:Safari is affected also by v1 · · Score: 3, Informative


      Doesn't appear so here.

      I just tested their spoof http://news.netcraft.com/archives/2004/10/29/new_u rl_spoofing_flaw_found_in_internet_explorer.html with Safari 1.2 (v125) and it shows 'google.com' in the address bar. I also tested Internet Explorer 5.2.3 on my mac and it also shows 'google.com' in the address bar.

      So it would appear that the mac is (at least for the two main browsers of choice) not affected by this security hole.

      --
      I work for the Department of Redundancy Department.
  3. Safari by P-Nuts · · Score: 4, Informative

    Worryingly, Safari is also fooled by the bug - the status bar shows http://www.microsoft.com/ before you click on the link, but the address bar in the resulting window correctly shows http://www.google.com/.

  4. A sample of what it looks like by grahamsz · · Score: 4, Informative

    http://graha.ms/iesploit.html

    Doesn't seem like anything that couldn't be done with javascript.

  5. Re:Safari Affected? by BandwidthHog · · Score: 3, Informative

    Yes. Safari 1.2.3 (v125.9) is vulnerable on my fully patched (with the exception of the latest QT, as I'm something of an uptime whore) 10.3.5 machine. The status bar showed microsoft.com when hovering over the link on Netcraft's advisory page.

    And in launching Safari to check, I was reminded once more how much more smoothly it scrolls than Firefox. Damn shame, that.

    --

    Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
  6. Re:Safari Affected? by caerwyn · · Score: 3, Informative

    Safari *is* affected at 1.2.3 v125.9. Look at the status bar as you mouse-over the link before clicking; that's there the exploit is. This is not the same as previous exploits that showed a fake URL in the actual URL bar.

    The link says www.microsoft.com, mousing over it pops up www.microsoft.com in the status bar in the lower left corner of the window. Clicking the link results in a page at google (with google url in the URL bar).

    --
    The ringing of the division bell has begun... -PF
  7. Re:Safari Affected? by bmoore · · Score: 4, Informative

    Interesting... VERY interesting... I also have Safari 1.2.3, v125.9. When I hover my mouse over the link, it shows www.microsoft.com in the status bar. If I click the link, I go to google, but if I r-click and choose "Open Link in New Tab" (or new window) I go to www.microsoft.com.

    Odd. Very odd. Hopefully Apple will arrange for some consistency in operation soon.

  8. IE users.. by Xeo+024 · · Score: 5, Informative
    To test the URL simply right-click it and it'll display the real URL, if that doesn't work right-click it and go to properties.

    But your best bet would be to either update or switch to an unaffected browser.

  9. Anyway, if we recall... by SILIZIUMM · · Score: 3, Informative

    Last january, Microsoft Advised to Type in URLs Rather than Click. You have been warned early, consider yourself lucky !

  10. It SORT OF affects SP2! by SnprBoB86 · · Score: 4, Informative

    With my SP2 system I naviagated to http://graha.ms/iesploit.html/ and hovered over the link. This is what I discovered:

    If you place the mouse on the link it shows the link will take you to google as it should, but if you place the mouse just outside the link (I guess on the table border) it says microsoft. The kicker is, that when it says Microsoft, clicking the link will not do anything.

    --
    http://brandonbloom.name
  11. Konqueror unaffected also by c0p0n · · Score: 3, Informative

    Konkeror on KDE 3.3.1 draws a transparent table (the one faked on the link) around the link, being both (the link and a small space outside the text link) clickable, but with different destinations. The resulting window (either google or microsoft) has no spoofed url.

    --

    Your head a splode
  12. Firefox 1.0RC1 **IS** affected by Ark42 · · Score: 5, Informative

    Change the html from
    <a href="http://www.microsoft.com/"><table><tr><td><a href="http://www.google.com/">http://www.microsoft .com</td></tr></table></a>
    to
    <a href="http://www.microsoft.com/"><table><tr><td><a href="http://www.google.com/">http://www.microsoft .com</a></td></tr></table></a&gt ;

    (sorry, Extrans mode is breaking the last </a> for some reason there)

    and you will notice the status bar says microsoft.com, and clicking it goes to microsoft.com, but middle click for a new tab, and you get google, not what the status bar says!

    --
    Morphing Software
    1. Re:Firefox 1.0RC1 **IS** affected by FuzzyBad-Mofo · · Score: 3, Informative

      Which is exactly the reason Mozilla/Firefox offers the option whether or not to allow Javascript to control to status bar, something that's been available for ages.