New URL Spoofing Flaw Found in Internet Explorer

Netcraft ^ | October 29, 2004 01:52 PM | richm

[FreedomCalls]

A new spoofing flaw in Microsoft's Internet Explorer browser allows an improperly coded web link to send users to a diffferent URL than the one displayed in the status bar.

The flaw, which was posted to the Bugtraq mailing list by Benjamin Franz, is exploited by placing two URLs and a table within a single HTML href tag, producing a link that looks like this:

http://www.microsoft.com

displaying http://www.microsoft.com in the browser, but sending the user to Google. Franz says the exploit works in fully-patched versions of Internet Explorer and Outlook Express, meaning the HTML code can be used to create spoofed URLs in webpages and HTML e-mails.

The technique, which can be executed by anyone with basic knowledge of HTML, can be used to construct convicing fake URLs for use in phishing scams. The flaw is possible because Internet Explorer has difficulty processing improperly formed HTML. The attack opens one href tag, and then leaves that tag open while enclosing a second URL within a table. The browser displays the first URL in the status bar, but sends users to the second URL.

The flaw affects versions of IE up to 6.0.2800.1106 - which includes systems that haven't yet installed Windows XP SP2, but are current on all other critical updates from Windows Update - as well as the Safari browser for Macs. Users running Windows XP SP2 (IE version 6.0.2900) and the open source Firefox and Mozilla browsers are not affected.

Phishing attacks seek to trick account holders into divulging sensitive account information through the use of e-mails which appear to come from trusted financial institutions and retailers. Several previous URL spoofing weaknesses in Internet Explorer have been widely used by phishing attacks. The ability to display a fraudulent URL in the status bar is especially useful, as security-conscious users would check the status bar before clicking through. The technique does not disguise the URL displayed in the address bar upon arrival at the destination page, meaning alert users will recognize the spoof at that point. But the tactic could be used to send e-mail recipients and web surfers to pages that attempt to download malware upon loading, a common tactic used by phishers to install trojans and keyloggers.

Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.

[k2blader]

It's a great article, really! ;-)

[Weirdad]

Firefox IS affected if you right click and choose to open in a new tab or window. Bad because that it how I open many links in all the browsers I use. Opera is unaffected, though. See post #40.

[UseYourHead]

It's not working on my IBM Selectric II. Am I doing something wrong?

(It seemed funny when I typed it.)

[TXnMA]

Safari for the Mac is not fooled, either...

[jimtorr]

Right click and choose "Open link in new window" or right click and shoose "OPen link in new tab"....

When you open links this way you defeat all of the protections built into Mozilla/Firefox. I suggest that you always left click on links, as the best way to defeat spoofing.

Personally, I use Camino at home, which is a Mozilla version tailored as a high-speed low-overhead Firefox for Mac OS X (not suggesting you or anyone switch). I don't use tabs for browsing at all, on the theory that the more I let the computer do for me, the less secure the browser is.

[ScottM1968]

The standard approach does work, though, fortunately.

My problem with Opera is the advertising it displays in the upper right corner of the screen if not the paid version.

I have the current Opera (paid version) as well, but prefer using Firefox because I can recommend that without reservation.

[LincolnLover]

What's this "Internet Explorer", anyways?

Thanks to Mozilla, I no longer care about these kinds of stories.

[tai-pan]

A real developer would've linked the image to the site lol

[Weirdad]

I use the paid version of Opera. However I agree that Firefox is great and I use it on machines where I do not have Opera.

However, it remains really annoying how many web sites specifically demand Internet Explorer even when they would probably run with another browser. Several hospitals that I long into permit ONLY IE, and both my bank and credit card demand it. Even using another browser ID setting will not work.

One major very expensive software package I must use uses IE components within the application, and as a result is now "broken" by any upgrade to WinXP SP2. So I have to run a less secure OS just to use one megaexpensive app that makes the mistake of being very dependent on MS Software.

[Truth666]

From : Euro constitution signed, not sealed (666 one month trilogy; 2nd seal today)
Notice that the title underlines the opposite, which was also as they staged the cerimony.
But what else would you expect ?
That's part of the name of the beast, and it's part of the number of the beast and that's part of the mark of the beast.

[backhoe]

Help for viruses and malware:

 

 Ad-Aware ... Spybot ... Peper Uninstaller ... HijackThis... CWShredder ... Spyware Blaster ... IE Spyad ... Free online Virus scan ... AVG AntiVirus ... LSPfix ... How to Show Hidden Files ... How to boot into Safe Mode ... How did I get infected in the first place?

---

Things you need--(all FREE)
Anti-Virus
AVG

 Avast
Firewall
Kerio(Direct Download) Zone Alarm

 If are using zone alarm it may slow your PC. Try Outpost Firewall http://www.agnitum.com/products/outpost or Sygate Firewall http://www.sygate.com/, both have FREE and Pro versions and are heads above ZA.
Misc.
IE Spyads SpywareBlaster Spyware Guard
Windows Update- you must keep updated, it is the start of a secure system-
get all CRITICAL Updates

Things you want(Still Free)
 

  I use Firefox PR1 and IMHO, beats the sox off MS Explorer. Life is good with tabs. Click the link and give it a try.

Ad-Aware
Spybot S&D

SpywareBlaster
MS MVP Hosts file

Mike Lin's Homepage and get the Startup Control Panel and Startup Monitor tools.

 

The best forum for malware removal:

 http://forums.spywareinfo.com/index.php?s=262d844129208feb8b0cf5b0186a32f6&act=SC&c=4
SWI Forums--

[HitmanLV]

Firefox freaking rules - I have been using it exclusively since I got it a month ago! Leaves MS Internet Explorer in the DUST!

[Fire_on_High]

Of course the first thing most smart IE users do if forced to use it is shut off unsigned AX and make signed work on a permission only basis.

[showpromid]

Gee, my IE works fine. Sure, the text says the link goes somewhere else, but when I hover over it, the status bar shows the correct URL and after navigation the address bar also shows the correct URL.

Not seeing what the issue is here...

[FreedomCalls]

Gee, my IE works fine. Not seeing what the issue is here...

Did you RTFA? IE versions 6.0.2800 or less are affected. IE versions 6.0.2900 or later are not.

[supercat]

Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.

One financial institution I deal with allows users of its web site to set a "security phrase" which the Credit Union will include in all legitimate emails. So if you set your Security phrase to "FREEPERS RULE!" then any email you get which is supposedly from that financial institution that lacks those words is a phony.

The use of security phrase would not prevent someone from intercepting a real email to you and using it go generate a fake one. It would, however, stop a more common form of phishing which is to simply send out millions of phony emails without any degree of per-recipient interaction.

Given that such an approach is so simple, why don'y any of the "big" firms do it?

[k2blader]

Thanks!

Anyone know the best anti-spam software? Recently I've been getting a lot more than usual... to the point where I feel willing to pay money to stop it...

[supercat]

Okay, I don't understand what the table tag is for.

Consider this table and these addresses:
www.google.com www.dogpile.com

Adding some color will help clarify things. The table itself is a link to www.altavista.com. The table contains links to www.google.com and www.dogpile.com. When a link is contained within a link, there don't seem to be consistently-implemented rules about whether the second link should override the first. I don't know whether the HTML specifications explicitly say, but my guess is that the second link should apply. What happens, though, is that some pieces of code to "find" whether there's a link at a given screen position stop as soon as they find one, while others each until they find the most deeply nested.

By the way, on Firefox, the "normal" text in the table appears as black with a link-colored underline except for the word "table" for which I requested [font color=red] (it appears as red text which with a red underline) and the word "these" for which I requested underlining (it appears as black with black underline).

[George Smiley]

Firefox users:

There is an extension called SpoofStick that will display the real URL of whereever you're surfing.

For 1.0PR users.

[GregB]

IE6 goes to kerry