Slashdot Mirror

← Back to Stories (view on slashdot.org)

New URL Spoofing Bug in Pre-SP2 IE

Posted by CowboyNeal on from the reasons-to-upgrade dept.

An anonymous reader writes "According to Netcraft a new security flaw has been found in Microsoft Internet Explorer which makes it possible to spoof a URL with just some simple HTML code, by enclosing two URLs and a table within a single href tag. The user will be sent to one site, but the status bar will show a fake URL. The bug apparently affects IE and Outlook Express up to but not including SP2. Firefox and Konqueror seem unaffected."

10 of 266 comments (clear)

  1. What's worse? by nile_list · · Score: 5, Interesting

    What's worse? IE being vulnerable to spoofed URLs because of malformed HTML, or Firefox crashing because of the same thing?

    --
    Gnash Gnash Gnash
  2. Re:Sort of ... by Captain+Splendid · · Score: 3, Interesting

    Well, a semi-savvy IE user could have javascript turned off...but yeah, this strikes me as no big deal either, just another slam at IE.

    --
    Linux, you magnificent bastard, I read the fucking manual!
  3. shock horror by Anonymous Coward · · Score: 1, Interesting

    this is what porn sites have been doing for years, for those who want the secret here it comes

    <a href="http://google.com" onclick="self.location='http://microsoft.com';retu rn false" onmouseover="top.status='http://google.com';return true" onmouseout="top.status='';return true">click here</a>

    works on all browsers with JS capabilities by default (even webTV)

    jerks who submit stories like this seem to be the only ones doing the exploiting

  4. Comment removed by account_deleted · · Score: 3, Interesting

    Comment removed based on user account deletion

  5. Another argument for NOT rendering bad HTML by eu4ik · · Score: 2, Interesting

    From the article, "The flaw is possible because Internet Explorer has difficulty processing improperly formed HTML". If browsers had been pickier from the start, and refused to try to render improper HTML, perhaps we wouldn't see this sort of bug so often. Of course, now everyone expects to be able to view sites no matter how bad the code, so a 'correct' browser wouldn't be popular. Maybe browsers should start flagging improper HTML as a security risk; might actually get some people's attention.

  6. How ironic by ptlis · · Score: 3, Interesting

    IE's ability to parse anything meant it survived the problems which caused both Opera and Firefox to crash has also made this nastiness possible...

    --
    There's mischief and malarkies but no queers or yids or darkies within this bastard's carnival, this vicious cabaret.
  7. Re:Firefox 1.0RC1 **IS** affected by Deviate_X · · Score: 5, Interesting

    That didn't work in my 1.0PR (Win) but this did:

    <a href="http://www.microsoft.com/" onclick="location.href='http://www.google.com/';
    return false">
    http://www.microsoft.com
    </a> ...

  8. Re:Sort of ... by Dlugar · · Score: 2, Interesting

    In another thread somebody mentioned that if you turn off Javascript that this "URL Spoofing Bug" doesn't work either. Anybody with IE care to check it out?

    Dlugar

    --
    Computer Go: Writing Software to Play the Ancient Game of Go
  9. Very minor by Jesus+IS+the+Devil · · Score: 2, Interesting

    This type of bug is very minor. I never trust what the status bar says on mouse-over of a link. With a little bit of javascript, it's easy to have it say whatever you want. Many sites already employ this. All it does is annoy me.

    The bottom line is, once you land on the site, what does it say in the address bar and the status bar then?

    One other thing, be careful of misleading domains that replace "1" with an "l" or vice versa.

    --

    eTrade SUCKS
  10. First one worked for me, second didn't. by Anonymous Coward · · Score: 1, Interesting
    First one worked for me, second didn't. I'm running Linux, using Firefox 1.0RC1. This is the one that worked:

    <a href="http://www.microsoft.com/"><table><tr><td><a href="http://www.google.com/">http://www.microsoft .com</td></tr></table></a>