Slashdot Mirror

← Back to Stories (view on slashdot.org)

New URL Spoofing Bug in Pre-SP2 IE

Posted by CowboyNeal on from the reasons-to-upgrade dept.

An anonymous reader writes "According to Netcraft a new security flaw has been found in Microsoft Internet Explorer which makes it possible to spoof a URL with just some simple HTML code, by enclosing two URLs and a table within a single href tag. The user will be sent to one site, but the status bar will show a fake URL. The bug apparently affects IE and Outlook Express up to but not including SP2. Firefox and Konqueror seem unaffected."

4 of 266 comments (clear)

  1. Comment removed by account_deleted · · Score: 5, Informative

    Comment removed based on user account deletion

  2. Safari is affected also by dereklam · · Score: 5, Informative

    This exploit also affects Safari 1.2.3 on Panther.

  3. IE users.. by Xeo+024 · · Score: 5, Informative
    To test the URL simply right-click it and it'll display the real URL, if that doesn't work right-click it and go to properties.

    But your best bet would be to either update or switch to an unaffected browser.

  4. Firefox 1.0RC1 **IS** affected by Ark42 · · Score: 5, Informative

    Change the html from
    <a href="http://www.microsoft.com/"><table><tr><td><a href="http://www.google.com/">http://www.microsoft .com</td></tr></table></a>
    to
    <a href="http://www.microsoft.com/"><table><tr><td><a href="http://www.google.com/">http://www.microsoft .com</a></td></tr></table></a&gt ;

    (sorry, Extrans mode is breaking the last </a> for some reason there)

    and you will notice the status bar says microsoft.com, and clicking it goes to microsoft.com, but middle click for a new tab, and you get google, not what the status bar says!

    --
    Morphing Software