[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: New URL spoofing bug in Microsoft Internet Explorer
- To: "0-1-2-3@xxxxxx" <0-1-2-3@xxxxxx>
- Subject: Re: New URL spoofing bug in Microsoft Internet Explorer
- From: "Christopher J. Pilkington" <christopher.j.pilkington@xxxxxxxxx>
- Date: Thu, 28 Oct 2004 20:15:19 -0400
Under IE 6.0.2900.2180, this does not occur as you describe.
If the mouse pointer is pointed to the edge around the link,
"http://www.microsoft.com"; is displayed, but when the pointer is
directly over the link, "http://www.google.com"; is correctly
displayed.
On Thu, 28 Oct 2004 23:38:16 +0200, 0-1-2-3@xxxxxx <0-1-2-3@xxxxxx> wrote:
> New URL spoofing bug in Microsoft Internet Explorer
>
> There is a security bug in Internet Explorer 6.0.2800.1106 (fully patched),
> which allowes to show any faked target-address in the status bar of the
> window.
>
> The example below will display a faked URL ("http://www.microsoft.com/";) in
> the status bar of the window, if you move your mouse over the link. Click
> on the link and IE will go to "http://www.google.com/"; and NOT to
> "http://www.microsoft.com/"; .
>
> <a href="http://www.microsoft.com/";><table><tr><td><a
> href="http://www.google.com/";>Click here</td></tr></table></a>
>
> Description: Microsoft Internet Explorer can't handle links surrounded by a
> table and an other link correct.
>
> The bug can be exploited using HTML mail message too.
>
> Affected software: Microsoft Internet Explorer, Microsoft Outlook Express,
> ...
>
> Workaround: Don't click on non-trusted links. Or right-click on links to
> see the real target. Or use Copy-and-Paste.
>
> Regards,
> Benjamin Tobias Franz
> Germany
>
>