Slashdot Mirror

← Back to Stories (view on slashdot.org)

New URL Spoofing Bug in Pre-SP2 IE

Posted by CowboyNeal on from the reasons-to-upgrade dept.

An anonymous reader writes "According to Netcraft a new security flaw has been found in Microsoft Internet Explorer which makes it possible to spoof a URL with just some simple HTML code, by enclosing two URLs and a table within a single href tag. The user will be sent to one site, but the status bar will show a fake URL. The bug apparently affects IE and Outlook Express up to but not including SP2. Firefox and Konqueror seem unaffected."

8 of 266 comments (clear)

  1. Comment removed by account_deleted · · Score: 5, Informative

    Comment removed based on user account deletion

  2. Safari is affected also by dereklam · · Score: 5, Informative

    This exploit also affects Safari 1.2.3 on Panther.

  3. IE users.. by Xeo+024 · · Score: 5, Informative
    To test the URL simply right-click it and it'll display the real URL, if that doesn't work right-click it and go to properties.

    But your best bet would be to either update or switch to an unaffected browser.

  4. What's worse? by nile_list · · Score: 5, Interesting

    What's worse? IE being vulnerable to spoofed URLs because of malformed HTML, or Firefox crashing because of the same thing?

    --
    Gnash Gnash Gnash
  5. Re:Patch by Anonymous Coward · · Score: 5, Funny

    http://www.microsoft.com

  6. Firefox 1.0RC1 **IS** affected by Ark42 · · Score: 5, Informative

    Change the html from
    <a href="http://www.microsoft.com/"><table><tr><td><a href="http://www.google.com/">http://www.microsoft .com</td></tr></table></a>
    to
    <a href="http://www.microsoft.com/"><table><tr><td><a href="http://www.google.com/">http://www.microsoft .com</a></td></tr></table></a&gt ;

    (sorry, Extrans mode is breaking the last </a> for some reason there)

    and you will notice the status bar says microsoft.com, and clicking it goes to microsoft.com, but middle click for a new tab, and you get google, not what the status bar says!

    --
    Morphing Software
    1. Re:Firefox 1.0RC1 **IS** affected by Deviate_X · · Score: 5, Interesting

      That didn't work in my 1.0PR (Win) but this did:

      <a href="http://www.microsoft.com/" onclick="location.href='http://www.google.com/';
      return false">
      http://www.microsoft.com
      </a> ...

  7. Re:Come on people! by secolactico · · Score: 5, Funny

    That's nothing. *My* father installed SP2 against my recommendation, and the next day a burglar broke into his house and stole most of the silverware!

    Since installing firefox, nobody has broken into his house again.

    --
    No sig