Slashdot Mirror

← Back to Stories (view on slashdot.org)

New URL Spoofing Bug in Pre-SP2 IE

Posted by CowboyNeal on from the reasons-to-upgrade dept.

An anonymous reader writes "According to Netcraft a new security flaw has been found in Microsoft Internet Explorer which makes it possible to spoof a URL with just some simple HTML code, by enclosing two URLs and a table within a single href tag. The user will be sent to one site, but the status bar will show a fake URL. The bug apparently affects IE and Outlook Express up to but not including SP2. Firefox and Konqueror seem unaffected."

45 of 266 comments (clear)

  1. Comment removed by account_deleted · · Score: 5, Informative

    Comment removed based on user account deletion

  2. Safari is affected also by dereklam · · Score: 5, Informative

    This exploit also affects Safari 1.2.3 on Panther.

    1. Re:Safari is affected also by v1 · · Score: 3, Informative


      Doesn't appear so here.

      I just tested their spoof http://news.netcraft.com/archives/2004/10/29/new_u rl_spoofing_flaw_found_in_internet_explorer.html with Safari 1.2 (v125) and it shows 'google.com' in the address bar. I also tested Internet Explorer 5.2.3 on my mac and it also shows 'google.com' in the address bar.

      So it would appear that the mac is (at least for the two main browsers of choice) not affected by this security hole.

      --
      I work for the Department of Redundancy Department.
  3. Patch by Anonymous Coward · · Score: 3, Funny

    Patch available here

    1. Re:Patch by Anonymous Coward · · Score: 5, Funny

      http://www.microsoft.com

    2. Re:Patch by Jeff+DeMaagd · · Score: 2, Informative

      Some could say that one should update to service pack 2, but IIRC, there are just as many W2k installations as there are XP installations.

  4. Safari by P-Nuts · · Score: 4, Informative

    Worryingly, Safari is also fooled by the bug - the status bar shows http://www.microsoft.com/ before you click on the link, but the address bar in the resulting window correctly shows http://www.google.com/.

  5. Safari Affected? by TheGuinnesseur · · Score: 2, Informative
    The article says:

    "The flaw affects versions of IE up to 6.0.2800.1106 - which includes systems that haven't yet installed Windows XP SP2, but are current on all other critical updates from Windows Update - as well as the Safari browser for Macs."

    Is it just me, or is that a typo? My version of Safari (1.2.3 v125.9) seems to handle their sample malformed tag just fine, displaying www.google.com as it should. Can anyone confirm or deny whether Safari is affected by this problem?

    1. Re:Safari Affected? by BandwidthHog · · Score: 3, Informative

      Yes. Safari 1.2.3 (v125.9) is vulnerable on my fully patched (with the exception of the latest QT, as I'm something of an uptime whore) 10.3.5 machine. The status bar showed microsoft.com when hovering over the link on Netcraft's advisory page.

      And in launching Safari to check, I was reminded once more how much more smoothly it scrolls than Firefox. Damn shame, that.

      --

      Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
    2. Re:Safari Affected? by caerwyn · · Score: 3, Informative

      Safari *is* affected at 1.2.3 v125.9. Look at the status bar as you mouse-over the link before clicking; that's there the exploit is. This is not the same as previous exploits that showed a fake URL in the actual URL bar.

      The link says www.microsoft.com, mousing over it pops up www.microsoft.com in the status bar in the lower left corner of the window. Clicking the link results in a page at google (with google url in the URL bar).

      --
      The ringing of the division bell has begun... -PF
    3. Re:Safari Affected? by bmoore · · Score: 4, Informative

      Interesting... VERY interesting... I also have Safari 1.2.3, v125.9. When I hover my mouse over the link, it shows www.microsoft.com in the status bar. If I click the link, I go to google, but if I r-click and choose "Open Link in New Tab" (or new window) I go to www.microsoft.com.

      Odd. Very odd. Hopefully Apple will arrange for some consistency in operation soon.

    4. Re:Safari Affected? by SnprBoB86 · · Score: 2

      Some one please mod up the confirmations/denials of this

      --
      http://brandonbloom.name
  6. A sample of what it looks like by grahamsz · · Score: 4, Informative

    http://graha.ms/iesploit.html

    Doesn't seem like anything that couldn't be done with javascript.

    1. Re:A sample of what it looks like by AngryScot · · Score: 2, Informative

      The point is this will work with scripting disabled.

      This means people who think that they know where they are going could be fooled.

      Saying that: If you know how/why to disable javascript I'm sure you would upgrade your IE or use firefox etc

      --

      All spelling mistakes are due to solar flares...honest

    2. Re:A sample of what it looks like by pronobozo · · Score: 2, Informative

      "Doesn't seem like anything that couldn't be done with javascript."

      True.. but a point is that you can have java turned off thinking you are more secure, while this exploit doesn't require it.

      --
      ------
      insert sig here,here, and here
  7. Sort of ... by Dlugar · · Score: 4, Insightful

    Just tested it with Opera 7.54 for Linux ... if you mouseover the actual text, "google.com" shows in the status bar, but if you position your cursor just exactly so that it's kinda over the URL, but not over any of the text, then you can get "microsoft.com" to show.

    But I'm kind of confused as to why this is a big deal ... can't you just use Javascript to rewrite the status bar anyway?

    Dlugar

    --
    Computer Go: Writing Software to Play the Ancient Game of Go
    1. Re:Sort of ... by Captain+Splendid · · Score: 3, Interesting

      Well, a semi-savvy IE user could have javascript turned off...but yeah, this strikes me as no big deal either, just another slam at IE.

      --
      Linux, you magnificent bastard, I read the fucking manual!
    2. Re:Sort of ... by Dlugar · · Score: 2, Interesting

      In another thread somebody mentioned that if you turn off Javascript that this "URL Spoofing Bug" doesn't work either. Anybody with IE care to check it out?

      Dlugar

      --
      Computer Go: Writing Software to Play the Ancient Game of Go
  8. IE users.. by Xeo+024 · · Score: 5, Informative
    To test the URL simply right-click it and it'll display the real URL, if that doesn't work right-click it and go to properties.

    But your best bet would be to either update or switch to an unaffected browser.

  9. What's worse? by nile_list · · Score: 5, Interesting

    What's worse? IE being vulnerable to spoofed URLs because of malformed HTML, or Firefox crashing because of the same thing?

    --
    Gnash Gnash Gnash
  10. Re:OK, OK I will download Firefox by lightdarkness · · Score: 2, Funny

    FF, reformating the world, one windows box at a time.

  11. affected my Safari :-( by quacking+duck · · Score: 4, Insightful

    Just tried it myself on Safari v125.9 on 10.3.5; unfortunately the spoof worked.

    Hovering over the actual link showed microsoft.com in the status bar, but clicking it did indeed go to google.

    However, I can click outside the link on the same line (thanks to the table spanning the entire width of the article box), and it'll go to microsoft.com as indicated in the status bar when howevering over the line.

  12. Anyway, if we recall... by SILIZIUMM · · Score: 3, Informative

    Last january, Microsoft Advised to Type in URLs Rather than Click. You have been warned early, consider yourself lucky !

  13. I haven't seen a post of this yet... by rel4x · · Score: 2, Informative

    <table>
    <tr><td>
    <a href="http://www.google.com/">http://www.microsoft .com</td></tr></table></a>

    --

    Before you mod me funny, think, perhaps I was insightfully funny?
  14. Goatse... by SILIZIUMM · · Score: 3, Funny

    Too bad the original goatse.cx is down, that could be fun. "Hey Jim, check that financial report!"... At least we have mirrors...

  15. It SORT OF affects SP2! by SnprBoB86 · · Score: 4, Informative

    With my SP2 system I naviagated to http://graha.ms/iesploit.html/ and hovered over the link. This is what I discovered:

    If you place the mouse on the link it shows the link will take you to google as it should, but if you place the mouse just outside the link (I guess on the table border) it says microsoft. The kicker is, that when it says Microsoft, clicking the link will not do anything.

    --
    http://brandonbloom.name
  16. Safari goes to wrong place by goynang · · Score: 4, Insightful

    Safari goes to the wrong URL too.

    Just tried the demo and ended up at Google rather than where the link looked like it should go.

    Damn!

  17. Konqueror unaffected also by c0p0n · · Score: 3, Informative

    Konkeror on KDE 3.3.1 draws a transparent table (the one faked on the link) around the link, being both (the link and a small space outside the text link) clickable, but with different destinations. The resulting window (either google or microsoft) has no spoofed url.

    --

    Your head a splode
  18. Comment removed by account_deleted · · Score: 3, Interesting

    Comment removed based on user account deletion

  19. Status bar? by FearUncertaintyDoubt · · Score: 4, Insightful
    I can see how this is a bug, and should be fixed, but how big of a security risk is it really? I think anyone aware enough to look at the status bar will probably look at the address bar in the browswer, which will show the real URL. So, yes, the status bar spoof might get someone to click, but they can't spoof the address bar, and a phishing scam would fall apart at that point.

    You might as well say that links themselves are a security risk, since a link that says "Microsoft Web Site" but really goes to goatse.cx is a dangerous spoof.

  20. Sadly, this is a minor problem. by argent · · Score: 2, Insightful

    Spoofing bugs are not good, and there's a lot that should be done to fix spoofing, but it's the cross-zone exploits that we really need to worry about. See, 95% of the real security holes in IE come from "security zones". And .NET is just going to embed this design flaw deeper in Windows.

    I'll accept screwed up tables if they'll just back out the damn Windows-Explorer integration.

  21. Firefox 1.0RC1 **IS** affected by Ark42 · · Score: 5, Informative

    Change the html from
    <a href="http://www.microsoft.com/"><table><tr><td><a href="http://www.google.com/">http://www.microsoft .com</td></tr></table></a>
    to
    <a href="http://www.microsoft.com/"><table><tr><td><a href="http://www.google.com/">http://www.microsoft .com</a></td></tr></table></a&gt ;

    (sorry, Extrans mode is breaking the last </a> for some reason there)

    and you will notice the status bar says microsoft.com, and clicking it goes to microsoft.com, but middle click for a new tab, and you get google, not what the status bar says!

    --
    Morphing Software
    1. Re:Firefox 1.0RC1 **IS** affected by Deviate_X · · Score: 5, Interesting

      That didn't work in my 1.0PR (Win) but this did:

      <a href="http://www.microsoft.com/" onclick="location.href='http://www.google.com/';
      return false">
      http://www.microsoft.com
      </a> ...

    2. Re:Firefox 1.0RC1 **IS** affected by JPriest · · Score: 4, Insightful

      So Firefox is affected and IE SP2 is not. This story is just more MS bashing FUD.

      --
      Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
    3. Re:Firefox 1.0RC1 **IS** affected by FuzzyBad-Mofo · · Score: 3, Informative

      Which is exactly the reason Mozilla/Firefox offers the option whether or not to allow Javascript to control to status bar, something that's been available for ages.

    4. Re:Firefox 1.0RC1 **IS** affected by Slime-dogg · · Score: 2, Informative

      But that isn't controlling the status bar. What it is doing is intercepting the click before it gets to the "A" element, and telling the browser that the "A" element wasn't in fact clicked.

      After it intercepts the click, it then sets the document's location to something completely different from what the href said. Yes, disabling javascript will eliminate this problem, but a lot of sites won't work without javascript.

      --
      You need to restart your computer. Hold down the Power button for several seconds or press the Restart button.
  22. Re:Come on people! by secolactico · · Score: 5, Funny

    That's nothing. *My* father installed SP2 against my recommendation, and the next day a burglar broke into his house and stole most of the silverware!

    Since installing firefox, nobody has broken into his house again.

    --
    No sig
  23. Another argument for NOT rendering bad HTML by eu4ik · · Score: 2, Interesting

    From the article, "The flaw is possible because Internet Explorer has difficulty processing improperly formed HTML". If browsers had been pickier from the start, and refused to try to render improper HTML, perhaps we wouldn't see this sort of bug so often. Of course, now everyone expects to be able to view sites no matter how bad the code, so a 'correct' browser wouldn't be popular. Maybe browsers should start flagging improper HTML as a security risk; might actually get some people's attention.

    1. Re:Another argument for NOT rendering bad HTML by DeepHurtn! · · Score: 2, Funny

      Oh no...! Does this mean my browser would warn me every time I come to Slashdot?

  24. How ironic by ptlis · · Score: 3, Interesting

    IE's ability to parse anything meant it survived the problems which caused both Opera and Firefox to crash has also made this nastiness possible...

    --
    There's mischief and malarkies but no queers or yids or darkies within this bastard's carnival, this vicious cabaret.
  25. Confirmation of Safari Vuln by DonnarsHmr · · Score: 2, Informative

    Though another poster claims Safari isn't affected by this, I was able to replicate the vuln in Safari 1.2.3 (v125.9). So it appears that the other posters are incorrect. Firefox is unaffected, Internet Explorer show 'http://www.microsoft.com' when the cursor has changed to the link finger but shows 'http://www.google.com' when the cursor is over the link text. Opera for Mac displays the same oddities as IE. OmniWeb for Mac also does this, however, the space in which is displays the spoofed address is only about a pixel wide. Strangely, lynx didn't seem to have much to say :)

  26. How do you find something like this by ManuelKelly · · Score: 3, Insightful

    Is something like this discovered by accident, or is some poor person sitting at a desk coding weird html all day to see what happens?

  27. Violates HTML4 ref by mystik · · Score: 2, Insightful

    http://www.w3.org/TR/html401/struct/links.html#ede f-A

    According to the HTML4 ref @ w3, putting a table inside of an anchor-tag is illegal. Only inline tags may reside there, and a table is a block-level tag.

    Since ths means the browser's behavior is undefined, I hope they come up w/ a better fix ...

    --
    Why aren't you encrypting your e-mail?
  28. Re:Pre SP2? by dn15 · · Score: 3, Funny
    What does this mean for Windows 2000 users?
    It means they should get Firefox.
    ;)
  29. Very minor by Jesus+IS+the+Devil · · Score: 2, Interesting

    This type of bug is very minor. I never trust what the status bar says on mouse-over of a link. With a little bit of javascript, it's easy to have it say whatever you want. Many sites already employ this. All it does is annoy me.

    The bottom line is, once you land on the site, what does it say in the address bar and the status bar then?

    One other thing, be careful of misleading domains that replace "1" with an "l" or vice versa.

    --

    eTrade SUCKS