Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

New URL Spoofing Flaw Found in Internet Explorer
Netcraft ^ | October 29, 2004 01:52 PM | richm

Posted on 10/30/2004 1:05:40 PM PDT by FreedomCalls

A new spoofing flaw in Microsoft's Internet Explorer browser allows an improperly coded web link to send users to a diffferent URL than the one displayed in the status bar.

The flaw, which was posted to the Bugtraq mailing list by Benjamin Franz, is exploited by placing two URLs and a table within a single HTML href tag, producing a link that looks like this:

http://www.microsoft.com
displaying http://www.microsoft.com in the browser, but sending the user to Google. Franz says the exploit works in fully-patched versions of Internet Explorer and Outlook Express, meaning the HTML code can be used to create spoofed URLs in webpages and HTML e-mails.

The technique, which can be executed by anyone with basic knowledge of HTML, can be used to construct convicing fake URLs for use in phishing scams. The flaw is possible because Internet Explorer has difficulty processing improperly formed HTML. The attack opens one href tag, and then leaves that tag open while enclosing a second URL within a table. The browser displays the first URL in the status bar, but sends users to the second URL.

The flaw affects versions of IE up to 6.0.2800.1106 - which includes systems that haven't yet installed Windows XP SP2, but are current on all other critical updates from Windows Update - as well as the Safari browser for Macs. Users running Windows XP SP2 (IE version 6.0.2900) and the open source Firefox and Mozilla browsers are not affected.

Phishing attacks seek to trick account holders into divulging sensitive account information through the use of e-mails which appear to come from trusted financial institutions and retailers. Several previous URL spoofing weaknesses in Internet Explorer have been widely used by phishing attacks. The ability to display a fraudulent URL in the status bar is especially useful, as security-conscious users would check the status bar before clicking through. The technique does not disguise the URL displayed in the address bar upon arrival at the destination page, meaning alert users will recognize the spoof at that point. But the tactic could be used to send e-mail recipients and web surfers to pages that attempt to download malware upon loading, a common tactic used by phishers to install trojans and keyloggers.

Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.



TOPICS: Business/Economy; Front Page News; Miscellaneous; Technical
KEYWORDS: exploit; explorer; getamac; ie; internetexploiter; lowqualitycrap; microsoft; patch; securityflaw; spoofing; trojan; virus; windows; worm
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-73 last
To: ScottM1968

I don't see the open under file to type in url? In Foxfire,I mean


61 posted on 10/30/2004 7:14:23 PM PDT by GregB (Broken Glass Republican!!!!!!!!)
[ Post Reply | Private Reply | To 3 | View Replies]

To: flashbunny

Which operating system are you running, and with which service patch?


62 posted on 10/30/2004 7:18:35 PM PDT by Cultural Jihad
[ Post Reply | Private Reply | To 2 | View Replies]

To: supercat
http://www.ebay.com

Messing around a bit above with the table and nested links. I think I see what you're saying. Thanks!

I noticed that right-clicking the link displays in the status bar the website it'll take you to.

63 posted on 10/30/2004 7:34:13 PM PDT by k2blader (It is neither compassionate nor conservative to support the expansion of socialism.)
[ Post Reply | Private Reply | To 58 | View Replies]

To: FreedomCalls
Image Hosted by ImageShack.us
64 posted on 10/30/2004 7:52:40 PM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: k2blader
I noticed that right-clicking the link displays in the status bar the website it'll take you to.

YES IT DOES! Thanks for finding that out. That's a finding worth of any detective. Are Free Republic people the smartest, most insightful, and probably best looking or what?

65 posted on 10/30/2004 8:01:44 PM PDT by FreedomCalls (It's the "Statue of Liberty," not the "Statue of Security.")
[ Post Reply | Private Reply | To 63 | View Replies]

To: ScottM1968; FreedomCalls

My FireFox does the same as IE ... but I love the way it warns mean I'm closing the whole browser instead of just a window/tab! ;-)


66 posted on 10/30/2004 8:12:43 PM PDT by Tunehead54 (OK Swifties - Its October! Let'm have it!)
[ Post Reply | Private Reply | To 3 | View Replies]

To: ShadowAce

CommSec BUMP


67 posted on 10/30/2004 8:19:36 PM PDT by LTCJ (CBS, all your Boyd Cycles are belong to us.)
[ Post Reply | Private Reply | To 64 | View Replies]

To: GregB

You need to click on the download reference on the upper right side of the screen. It is in the green box with the big words "Free Download".

Run it or save it locally to run it from your drive.


68 posted on 10/30/2004 8:27:23 PM PDT by ScottM1968
[ Post Reply | Private Reply | To 61 | View Replies]

To: Tunehead54

You need to download a more recent version. The current version does not have the problem when you open a spoofed link in your current window.


69 posted on 10/30/2004 8:29:01 PM PDT by ScottM1968
[ Post Reply | Private Reply | To 66 | View Replies]

To: FreedomCalls

'Twas a pleasure to stumble upon. *LOL*

And yes, we are! ;-D


70 posted on 10/31/2004 1:57:57 AM PDT by k2blader (It is neither compassionate nor conservative to support the expansion of socialism.)
[ Post Reply | Private Reply | To 65 | View Replies]

To: FreedomCalls

Interesting. Here at work, if I point at the link, it still shows the correct link (Kerry's website) in the status bar, but this time it does redirect to Kerry's website (if the link its clicked on), unlike at home on the SP2, where it simply said "page cannot be displayed". Here I'm using a Mac with OS X version 10.1.5, with Internet Explorer for Mac version 5.2.3


71 posted on 11/01/2004 7:25:30 AM PST by FourtySeven (47)
[ Post Reply | Private Reply | To 1 | View Replies]

To: FreedomCalls

Ok, so upgrade and all is well, right? Why is this a big deal?


72 posted on 11/01/2004 7:30:21 PM PST by showpromid (Victory 2004)
[ Post Reply | Private Reply | To 55 | View Replies]

To: showpromid
If you upgrade all is indeed well. Most people don't. If you don't, you could be the victim of a "phishing" scam.
73 posted on 11/01/2004 8:18:04 PM PST by FreedomCalls (It's the "Statue of Liberty," not the "Statue of Security.")
[ Post Reply | Private Reply | To 72 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-73 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson