Cont Click that link, Microsft tells users to type it...

Microsoft.com ^ | Microsfot

[N3WBI3]

When you point to a hyperlink in Microsoft Internet Explorer, Microsoft Outlook Express, or Microsoft Outlook, the address of the Web site typically appears in the Status bar at the bottom of the window. After you click a link that opens in Internet Explorer, the address of the Web site typically appears in the Internet Explorer Address bar, and the title of the Web page typically appears in the Title bar of the window.

However, a malicious user could create a link to a deceptive (spoofed) Web site that displays the address, or URL, to a legitimate Web site in the Status bar, Address bar, and Title bar. This article describes steps that you can take to help mitigate this issue and to help you to identify a deceptive (spoofed) Web site or URL.

[N3WBI3]

Bwhhahahahah...

[thoughtomator]

This is old news, too. Surprising they're acting like it's brand new!

[DManA]

It is perfectly safe to use dynamite in your mine, as long as you don't light the fuse.

[danneskjold]

This isn't a Microsoft only issue...any browser that runs Javascript can be spoofed this way...

[wesdale]

You're link to the Microsoft support document does not work.

hmmm

[11th Earl of Mar]

And you want me to click that link for the whole story?

Yeah... right!

[lol]

[DManA]

They pretended like they were working on it then hoped the threat would just go away.

[thoughtomator]

Yeah, but because MS uses the same shoddy code for everything, a problem in one program becomes a problem in every single program that uses that feature... so what would be a simple browser issue elsewhere is now a browser, email, calendaring, word processing, etc. issue.

[Izzy Dunne]

Cont Click that link, Microsft tells users to type it...
Microsoft.com ^ | Microsfot

This resembles English.

[js1138]

Bad link...

[danneskjold]

Yeah, but because MS uses the same shoddy code for everything, a problem in one program becomes a problem in every single program that uses that feature... so what would be a simple browser issue elsewhere is now a browser, email, calendaring, word processing, etc. issue.

shoddy code?...bit of a stretch...anyone that uses javascript could have this issue...

[Salo]

It's an Explorer issue.

[danneskjold]

I can post a link on an html page that will display a diffent link address when you hover over it, in any browser that supports javascript...

[N3WBI3]

Opera runs JS but does not behave in this manner

[Prime Choice]

I can post a link on an html page that will display a diffent link address when you hover over it, in any browser that supports javascript...

No true. Mozilla supports Javascript and doesn't exhibit this behavior.

[B Knotts]

This isn't a Microsoft only issue...any browser that runs Javascript can be spoofed this way...

That's incorrect. Mozilla and Konqueror both display the full URL. Only Internet Explorer is vulnerable.

[Salo]

You will see it displayed correctly in any browser but MS Internet Explorer for Windows. IE will only show the spoofed address. Here.

[HAL9000]

Manually typing in the URL can be just as dangerous as clicking the link. It is still possible to arrive at a malicious (to Windows) site if the user is not familiar with URL encoding and doesn't think about what they're typing in.

Fundamentally, this is an issue about a crap operating system more than an unsafe URL.

[B Knotts]

It's true that you can do a similar thing in Javascript. However, the IE code is used in other contexts where Javascript is not normally used.

[Salo]

BTW, another related MS IE security hole, here.