Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

New URL Spoofing Flaw Found in Internet Explorer
Netcraft ^ | October 29, 2004 01:52 PM | richm

Posted on 10/30/2004 1:05:40 PM PDT by FreedomCalls

A new spoofing flaw in Microsoft's Internet Explorer browser allows an improperly coded web link to send users to a diffferent URL than the one displayed in the status bar.

The flaw, which was posted to the Bugtraq mailing list by Benjamin Franz, is exploited by placing two URLs and a table within a single HTML href tag, producing a link that looks like this:

http://www.microsoft.com
displaying http://www.microsoft.com in the browser, but sending the user to Google. Franz says the exploit works in fully-patched versions of Internet Explorer and Outlook Express, meaning the HTML code can be used to create spoofed URLs in webpages and HTML e-mails.

The technique, which can be executed by anyone with basic knowledge of HTML, can be used to construct convicing fake URLs for use in phishing scams. The flaw is possible because Internet Explorer has difficulty processing improperly formed HTML. The attack opens one href tag, and then leaves that tag open while enclosing a second URL within a table. The browser displays the first URL in the status bar, but sends users to the second URL.

The flaw affects versions of IE up to 6.0.2800.1106 - which includes systems that haven't yet installed Windows XP SP2, but are current on all other critical updates from Windows Update - as well as the Safari browser for Macs. Users running Windows XP SP2 (IE version 6.0.2900) and the open source Firefox and Mozilla browsers are not affected.

Phishing attacks seek to trick account holders into divulging sensitive account information through the use of e-mails which appear to come from trusted financial institutions and retailers. Several previous URL spoofing weaknesses in Internet Explorer have been widely used by phishing attacks. The ability to display a fraudulent URL in the status bar is especially useful, as security-conscious users would check the status bar before clicking through. The technique does not disguise the URL displayed in the address bar upon arrival at the destination page, meaning alert users will recognize the spoof at that point. But the tactic could be used to send e-mail recipients and web surfers to pages that attempt to download malware upon loading, a common tactic used by phishers to install trojans and keyloggers.

Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.



TOPICS: Business/Economy; Front Page News; Miscellaneous; Technical
KEYWORDS: exploit; explorer; getamac; ie; internetexploiter; lowqualitycrap; microsoft; patch; securityflaw; spoofing; trojan; virus; windows; worm
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-73 next last
To: ShadowAce

Just installed it. Thanks!


21 posted on 10/30/2004 1:45:53 PM PDT by Bon mots
[ Post Reply | Private Reply | To 20 | View Replies]

To: FreedomCalls

bump, when you say be caeful, if we try it, will we be sent to a porno site or end up with a virus?


22 posted on 10/30/2004 1:54:26 PM PDT by newsgatherer
[ Post Reply | Private Reply | To 1 | View Replies]

as well as the Safari browser for Macs..

Just tried it. Spoof didn't fool Safari.

23 posted on 10/30/2004 1:55:38 PM PDT by D-fendr (They can't steal it if it isn't close.)
[ Post Reply | Private Reply | To 21 | View Replies]

To: Bon mots

You may be using an earlier version.

Mine goes to the true Bush site.

Update your copy ASAP.


24 posted on 10/30/2004 1:56:46 PM PDT by ScottM1968
[ Post Reply | Private Reply | To 18 | View Replies]

To: FreedomCalls

"Careful. Here's a more relevant example of the spoof:

http://www.georgewbush.com/"




I right clicked your link, and under properties it says the link equates to www.johnkerry.com. However, when I do a single left-click on the on the link, in order to follow it, I am taken to Gearge W. Bush's web site anyway. I am running Netscape 7.1. So it seems that my version of Netscape was not fooled.


25 posted on 10/30/2004 1:58:01 PM PDT by Zetman
[ Post Reply | Private Reply | To 1 | View Replies]

To: FreedomCalls
displaying http://www.microsoft.com in the browser, but sending the user to Google.

Didn't happen to me.

Of course, I'm using Mozilla...

26 posted on 10/30/2004 1:59:54 PM PDT by xm177e2 (Stalinists, Maoists, Ba'athists, Pacifists: Why are they always on the same side?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: newsgatherer
bump, when you say be caeful, if we try it, will we be sent to a porno site or end up with a virus?

Not not at all. My example says "GeorgeWBush.com" but if you click on the link it will take you to "JohnKerry.com" instead. Try it.

The possibility exists that bad guys could use the exploit to do just as you said, or to send you to a spoof site that is intended to get personal details like credit card numbers or passwords -- which is why I advised caution. My link (and the one in the article) is perfectly safe.

Here's another example:

Free Republic.

27 posted on 10/30/2004 2:04:22 PM PDT by FreedomCalls (It's the "Statue of Liberty," not the "Statue of Security.")
[ Post Reply | Private Reply | To 22 | View Replies]

To: dumpdaschle

I've given 100+ copies of FireFox to users on my network for home use, and we use it at work for all non-IE-only internet sites. Alas, some stuff requires IE, or I'd dump it faster than Kerry could hop a rich widow.


28 posted on 10/30/2004 2:05:14 PM PDT by Salo
[ Post Reply | Private Reply | To 16 | View Replies]

To: BigSkyFreeper
That's what I got.

Heh, I still love Firefox. Download it here:

http://www.mozilla.org/products/firefox/

29 posted on 10/30/2004 2:05:52 PM PDT by BJClinton (We need a President who will stand up to the trial lawyers in Washington, not put one on the ticket.)
[ Post Reply | Private Reply | To 13 | View Replies]

To: FreedomCalls
Hm.

http://www.ineverthoughtofdoingthisbefore.com

:-)

30 posted on 10/30/2004 2:06:11 PM PDT by k2blader (It is neither compassionate nor conservative to support the expansion of socialism.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ScottM1968

I'm using IE version 6.0 and it takes me to the wrong site. The status bar shows incorrectly as well.


31 posted on 10/30/2004 2:06:57 PM PDT by FreedomCalls (It's the "Statue of Liberty," not the "Statue of Security.")
[ Post Reply | Private Reply | To 24 | View Replies]

To: FreedomCalls
. Users running Windows XP SP2 (IE version 6.0.2900) and the open source Firefox and Mozilla browsers are not affected.

I hate to say this but XP SP2 is just as vulnerable to the spoof as any other version of Windows XP.

32 posted on 10/30/2004 2:08:56 PM PDT by COEXERJ145 (The price of freedom is eternal vigilance)
[ Post Reply | Private Reply | To 1 | View Replies]

To: k2blader
Your version shows the correct USA Today site on the status bar though. If you add the table html codes it will display the status bar wrongly as well. NewMEdiaFan in post 11 showed how to do it.
33 posted on 10/30/2004 2:12:02 PM PDT by FreedomCalls (It's the "Statue of Liberty," not the "Statue of Security.")
[ Post Reply | Private Reply | To 30 | View Replies]

To: FreedomCalls

I see the correct link in the status bar. I'm guessing it's because I have SP2. I'm going to try this at work where I don't.


34 posted on 10/30/2004 2:12:52 PM PDT by FourtySeven (47)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Zetman

Indeed, when I just do a simple left click, I get a "page cannot be displayed". Again, I think it's because I have SP2.


35 posted on 10/30/2004 2:14:16 PM PDT by FourtySeven (47)
[ Post Reply | Private Reply | To 25 | View Replies]

To: FreedomCalls
Mozilla's Firefox will not do that. Go to the link mentioned above to download Firefox.

It is the current best competitor to IE. As the article mentioned, no version of IE is fixed yet.

IE is a major source of spyware infiltration on people's computers. Its main advantage at one time was its use of Active-X routines to allow near-complete control of your computer via web pages (thus greatly lowering bandwidth need and greatly increasing graphic possibilities). It is this same benefit that is now exploited via spyware programs. These programs are downloaded (often without permission) onto your computer and can collect all keystrokes from within your browser.

Java, rather than Active-X, is used by all other browsers. IE also uses Java, thus maintaining the greatest level of capability but at the aforementioned risk.
36 posted on 10/30/2004 2:17:06 PM PDT by ScottM1968
[ Post Reply | Private Reply | To 31 | View Replies]

Hm, trying again using their code:

http://www.tryingagain.com

Okay, I don't understand what the table tag is for.

37 posted on 10/30/2004 2:18:09 PM PDT by k2blader (It is neither compassionate nor conservative to support the expansion of socialism.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: FreedomCalls

I get it! The status bar! Thanks. :-)


38 posted on 10/30/2004 2:21:11 PM PDT by k2blader (It is neither compassionate nor conservative to support the expansion of socialism.)
[ Post Reply | Private Reply | To 33 | View Replies]

To: k2blader

That one worked perfectly (or maliciously)!


39 posted on 10/30/2004 2:21:26 PM PDT by FreedomCalls (It's the "Statue of Liberty," not the "Statue of Security.")
[ Post Reply | Private Reply | To 37 | View Replies]

To: mhking
Great browser and I use it at times, but I usually use Opera and in this case Firefox is susceptible to the same spoof as Internet Explorer.

Right click and choose "Open link in new window" or right click and shoose "OPen link in new tab" and you will see that it goes to the spoofed address.

Try it here:

http://www.mozilla.org/products/firefox

40 posted on 10/30/2004 2:21:48 PM PDT by Weirdad (A Free Republic, not a "democracy" (mob rule))
[ Post Reply | Private Reply | To 17 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-73 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson