Slashdot Mirror
New URL Spoofing Bug in Pre-SP2 IE
An anonymous reader writes "According to Netcraft a new security flaw has been found in Microsoft Internet Explorer which makes it possible to spoof a URL with just some simple HTML code, by enclosing two URLs and a table within a single href tag. The user will be sent to one site, but the status bar will show a fake URL. The bug apparently affects IE and Outlook Express up to but not including SP2. Firefox and Konqueror seem unaffected."
Comment removed based on user account deletion
This exploit also affects Safari 1.2.3 on Panther.
Worryingly, Safari is also fooled by the bug - the status bar shows http://www.microsoft.com/ before you click on the link, but the address bar in the resulting window correctly shows http://www.google.com/.
http://graha.ms/iesploit.html
Doesn't seem like anything that couldn't be done with javascript.
Just tested it with Opera 7.54 for Linux ... if you mouseover the actual text, "google.com" shows in the status bar, but if you position your cursor just exactly so that it's kinda over the URL, but not over any of the text, then you can get "microsoft.com" to show.
... can't you just use Javascript to rewrite the status bar anyway?
But I'm kind of confused as to why this is a big deal
Dlugar
Computer Go: Writing Software to Play the Ancient Game of Go
Interesting... VERY interesting... I also have Safari 1.2.3, v125.9. When I hover my mouse over the link, it shows www.microsoft.com in the status bar. If I click the link, I go to google, but if I r-click and choose "Open Link in New Tab" (or new window) I go to www.microsoft.com.
Odd. Very odd. Hopefully Apple will arrange for some consistency in operation soon.
But your best bet would be to either update or switch to an unaffected browser.
What's worse? IE being vulnerable to spoofed URLs because of malformed HTML, or Firefox crashing because of the same thing?
Gnash Gnash Gnash
Just tried it myself on Safari v125.9 on 10.3.5; unfortunately the spoof worked.
Hovering over the actual link showed microsoft.com in the status bar, but clicking it did indeed go to google.
However, I can click outside the link on the same line (thanks to the table spanning the entire width of the article box), and it'll go to microsoft.com as indicated in the status bar when howevering over the line.
http://www.microsoft.com
With my SP2 system I naviagated to http://graha.ms/iesploit.html/ and hovered over the link. This is what I discovered:
If you place the mouse on the link it shows the link will take you to google as it should, but if you place the mouse just outside the link (I guess on the table border) it says microsoft. The kicker is, that when it says Microsoft, clicking the link will not do anything.
http://brandonbloom.name
Safari goes to the wrong URL too.
Just tried the demo and ended up at Google rather than where the link looked like it should go.
Damn!
You might as well say that links themselves are a security risk, since a link that says "Microsoft Web Site" but really goes to goatse.cx is a dangerous spoof.
Change the html froma href="http://www.google.com/">http://www.microsoft .com</td></tr></table></a> a href="http://www.google.com/">http://www.microsoft .com</a></td></tr></table></a> ;
<a href="http://www.microsoft.com/"><table><tr><td><
to
<a href="http://www.microsoft.com/"><table><tr><td><
(sorry, Extrans mode is breaking the last </a> for some reason there)
and you will notice the status bar says microsoft.com, and clicking it goes to microsoft.com, but middle click for a new tab, and you get google, not what the status bar says!
Morphing Software
That's nothing. *My* father installed SP2 against my recommendation, and the next day a burglar broke into his house and stole most of the silverware!
Since installing firefox, nobody has broken into his house again.
No sig