Slashdot Mirror

← Back to Stories (view on slashdot.org)

New URL Spoofing Bug in Pre-SP2 IE

Posted by CowboyNeal on from the reasons-to-upgrade dept.

An anonymous reader writes "According to Netcraft a new security flaw has been found in Microsoft Internet Explorer which makes it possible to spoof a URL with just some simple HTML code, by enclosing two URLs and a table within a single href tag. The user will be sent to one site, but the status bar will show a fake URL. The bug apparently affects IE and Outlook Express up to but not including SP2. Firefox and Konqueror seem unaffected."

11 of 266 comments (clear)

  1. We've been through this before... by Anonymous Coward · · Score: 0, Insightful

    Bug in outdated software.

    Why is this news?

  2. Sort of ... by Dlugar · · Score: 4, Insightful

    Just tested it with Opera 7.54 for Linux ... if you mouseover the actual text, "google.com" shows in the status bar, but if you position your cursor just exactly so that it's kinda over the URL, but not over any of the text, then you can get "microsoft.com" to show.

    But I'm kind of confused as to why this is a big deal ... can't you just use Javascript to rewrite the status bar anyway?

    Dlugar

    --
    Computer Go: Writing Software to Play the Ancient Game of Go
  3. affected my Safari :-( by quacking+duck · · Score: 4, Insightful

    Just tried it myself on Safari v125.9 on 10.3.5; unfortunately the spoof worked.

    Hovering over the actual link showed microsoft.com in the status bar, but clicking it did indeed go to google.

    However, I can click outside the link on the same line (thanks to the table spanning the entire width of the article box), and it'll go to microsoft.com as indicated in the status bar when howevering over the line.

  4. Safari goes to wrong place by goynang · · Score: 4, Insightful

    Safari goes to the wrong URL too.

    Just tried the demo and ended up at Google rather than where the link looked like it should go.

    Damn!

  5. Status bar? by FearUncertaintyDoubt · · Score: 4, Insightful
    I can see how this is a bug, and should be fixed, but how big of a security risk is it really? I think anyone aware enough to look at the status bar will probably look at the address bar in the browswer, which will show the real URL. So, yes, the status bar spoof might get someone to click, but they can't spoof the address bar, and a phishing scam would fall apart at that point.

    You might as well say that links themselves are a security risk, since a link that says "Microsoft Web Site" but really goes to goatse.cx is a dangerous spoof.

  6. Sadly, this is a minor problem. by argent · · Score: 2, Insightful

    Spoofing bugs are not good, and there's a lot that should be done to fix spoofing, but it's the cross-zone exploits that we really need to worry about. See, 95% of the real security holes in IE come from "security zones". And .NET is just going to embed this design flaw deeper in Windows.

    I'll accept screwed up tables if they'll just back out the damn Windows-Explorer integration.

  7. How do you find something like this by ManuelKelly · · Score: 3, Insightful

    Is something like this discovered by accident, or is some poor person sitting at a desk coding weird html all day to see what happens?

  8. Yet again, slashdot is FoS by Anonymous Coward · · Score: 1, Insightful

    Pre SP2...so if a user fails to update, it is MS's fault...so all those linux errata pages concerning root vulnerabilities, ssh, KDE, Gnome, are OK???

    Grow up Slashdot editors!!!!

    1) STOP THE FUD!
    2) Try placing the same blame on exploits to linux for each flaw it has.
    3) Show me that the majority of the linux users can rewrite their source code, before using the opensource argument (we all know they can't, and recfging the kernal, or compiling it again is not the same as rewriting it to fix the freaking flaw!)
    4) Stop acting like politicians, spouting bullshit bashing instead of actualy saying something useful, or constructive.
    5) Go whine in the corner again about the evil FOR PROFIT corp (MS). Then ask yourselves, if all the code was free, who the fuck would want to work in IT, since they couldn't make a living writing the code, setting up the networks, because it was all free...(this isn't the 23rd century StarTrek universe, people actualy have to PAY for the basic needs...). We won't even get into the mess the massive proprieteary code written for free, would cause in compatibility ...

  9. Violates HTML4 ref by mystik · · Score: 2, Insightful

    http://www.w3.org/TR/html401/struct/links.html#ede f-A

    According to the HTML4 ref @ w3, putting a table inside of an anchor-tag is illegal. Only inline tags may reside there, and a table is a block-level tag.

    Since ths means the browser's behavior is undefined, I hope they come up w/ a better fix ...

    --
    Why aren't you encrypting your e-mail?
  10. Re:Firefox 1.0RC1 **IS** affected by JPriest · · Score: 4, Insightful

    So Firefox is affected and IE SP2 is not. This story is just more MS bashing FUD.

    --
    Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
  11. Re:Come on people! by Anonymous Coward · · Score: 1, Insightful

    >Actually, more bugs are being found in Firefox
    > than in IE right now. BUT, the firefox source
    > is available, so people can look through it for
    > bugs,

    Whoops. You've just shot down the whole OSS theory. FireFox should never have more bugs being found than IE, BECAUSE people have spent so many hours looking at it (which, even though it's been publically available for months, even years, nobody has). The REALITY is that open-source or not, it's still prone to the same old bugs, and the software life cycle continues as normal. How do you guarantee that anyone looks at it? Just because you can doesn't imply that you do.