Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

New URL Spoofing Flaw Found in Internet Explorer
Netcraft ^ | October 29, 2004 01:52 PM | richm

Posted on 10/30/2004 1:05:40 PM PDT by FreedomCalls

A new spoofing flaw in Microsoft's Internet Explorer browser allows an improperly coded web link to send users to a diffferent URL than the one displayed in the status bar.

The flaw, which was posted to the Bugtraq mailing list by Benjamin Franz, is exploited by placing two URLs and a table within a single HTML href tag, producing a link that looks like this:

http://www.microsoft.com
displaying http://www.microsoft.com in the browser, but sending the user to Google. Franz says the exploit works in fully-patched versions of Internet Explorer and Outlook Express, meaning the HTML code can be used to create spoofed URLs in webpages and HTML e-mails.

The technique, which can be executed by anyone with basic knowledge of HTML, can be used to construct convicing fake URLs for use in phishing scams. The flaw is possible because Internet Explorer has difficulty processing improperly formed HTML. The attack opens one href tag, and then leaves that tag open while enclosing a second URL within a table. The browser displays the first URL in the status bar, but sends users to the second URL.

The flaw affects versions of IE up to 6.0.2800.1106 - which includes systems that haven't yet installed Windows XP SP2, but are current on all other critical updates from Windows Update - as well as the Safari browser for Macs. Users running Windows XP SP2 (IE version 6.0.2900) and the open source Firefox and Mozilla browsers are not affected.

Phishing attacks seek to trick account holders into divulging sensitive account information through the use of e-mails which appear to come from trusted financial institutions and retailers. Several previous URL spoofing weaknesses in Internet Explorer have been widely used by phishing attacks. The ability to display a fraudulent URL in the status bar is especially useful, as security-conscious users would check the status bar before clicking through. The technique does not disguise the URL displayed in the address bar upon arrival at the destination page, meaning alert users will recognize the spoof at that point. But the tactic could be used to send e-mail recipients and web surfers to pages that attempt to download malware upon loading, a common tactic used by phishers to install trojans and keyloggers.

Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.



TOPICS: Business/Economy; Front Page News; Miscellaneous; Technical
KEYWORDS: exploit; explorer; getamac; ie; internetexploiter; lowqualitycrap; microsoft; patch; securityflaw; spoofing; trojan; virus; windows; worm
Navigation: use the links below to view more comments.
first 1-2021-4041-6061-73 next last
Careful. Here's a more relevant example of the spoof:

http://www.georgewbush.com/

1 posted on 10/30/2004 1:05:55 PM PDT by FreedomCalls
[ Post Reply | Private Reply | View Replies]

To: FreedomCalls

strange, when you right click on the link and hit properties, you get the real URL (johnkerry.com)


2 posted on 10/30/2004 1:08:08 PM PDT by flashbunny (Every thought that enters my head requires its own vanity thread.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: FreedomCalls
Download FireFox here:

http://www.mozilla.org/products/firefox/

This is the latest version of the old Netscape browser code.

And that link isn't spoofed! :-)
3 posted on 10/30/2004 1:09:39 PM PDT by ScottM1968
[ Post Reply | Private Reply | To 1 | View Replies]

To: FreedomCalls
Interestingly, on my system, using the MS/Google link, Firefox shows the MS page with MS in the address bar, while Opera shows the Google page with Google in the address bar.
4 posted on 10/30/2004 1:16:01 PM PDT by steve86
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

bump....


5 posted on 10/30/2004 1:17:39 PM PDT by JoJo Gunn (More than two lawyers in any Country constitutes a terrorist organization. ©)
[ Post Reply | Private Reply | To 1 | View Replies]

To: BearWash
And Konquerer shows Google/Google and Galeon (based on Mozilla like Firefox), shows MS/MS. Looks like IE is the only one with the spoof discrepancy.
6 posted on 10/30/2004 1:21:51 PM PDT by steve86
[ Post Reply | Private Reply | To 4 | View Replies]

To: FreedomCalls

Firefox 1.0pr goes to President Bush's site, but IE goes to the Kerry site.

But in Firefox, right clicking and checking the properties opens the President's site anyway when you close the box. weird....


7 posted on 10/30/2004 1:22:40 PM PDT by JoJo Gunn (More than two lawyers in any Country constitutes a terrorist organization. ©)
[ Post Reply | Private Reply | To 1 | View Replies]

To: rdb3; chance33_98; Calvinist_Dark_Lord; Bush2000; PenguinWry; GodGunsandGuts; CyberCowboy777; ...

Browser Wars Ping!!


8 posted on 10/30/2004 1:22:42 PM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

BTTT


9 posted on 10/30/2004 1:23:04 PM PDT by politicket
[ Post Reply | Private Reply | To 8 | View Replies]

To: FreedomCalls

Nice.

Thats why I have the status bar open.


10 posted on 10/30/2004 1:26:18 PM PDT by Mortikhi
[ Post Reply | Private Reply | To 1 | View Replies]

To: FreedomCalls
<a href="http://www.georgewbush.com/">
<table><tr><td>
<a href="http://www.johnkerry.com/">http://www.georgewbush.com/</a>
</td></tr></table>
</a>

.............

Thanks for the heads up.

11 posted on 10/30/2004 1:26:46 PM PDT by NewMediaFan (Fake but accurate)
[ Post Reply | Private Reply | To 1 | View Replies]

To: FreedomCalls

Weird problem "solved".

In Firefox, your link acts as if it stretches all the way to the right, though I highlighted everything and nothing is there. Apparently I clicked on that empty space when closing the Properties box, and went to the President's site.

Does any other FF user see that? I don't see it in IE6.


12 posted on 10/30/2004 1:27:47 PM PDT by JoJo Gunn (More than two lawyers in any Country constitutes a terrorist organization. ©)
[ Post Reply | Private Reply | To 1 | View Replies]

To: FreedomCalls

Using Firefox 1.0PR, clicking the link takes you to georgewbush.com, opening it in a new tab goes to johnkerry.com.


13 posted on 10/30/2004 1:28:37 PM PDT by BigSkyFreeper (If you're for civil unions, you're for gay marriage)
[ Post Reply | Private Reply | To 1 | View Replies]

To: FreedomCalls

mark for later


14 posted on 10/30/2004 1:29:40 PM PDT by USF
[ Post Reply | Private Reply | To 1 | View Replies]

To: FreedomCalls

Interesting. I never would have thought of that, even with the coding errors I make due to incompetent typing and caffein withdrawl...or both.


15 posted on 10/30/2004 1:31:24 PM PDT by cake_crumb (UN Resolutions=Very Expensive, Very SCRATCHY Toilet Paper)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ScottM1968

I always thought I was the only person that actually used Mozilla Firefox until I found FR. Seems others here use it too. Firefox is a great browser.


16 posted on 10/30/2004 1:34:52 PM PDT by dumpdaschle (I actually did vote for John Kerry before I voted against him.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: FreedomCalls

'Nuff said.

17 posted on 10/30/2004 1:35:51 PM PDT by mhking
[ Post Reply | Private Reply | To 1 | View Replies]

To: ScottM1968

I'm using Mozilla Firefox and that spoof works in my browser too! So it's not just Internet Exploder.


18 posted on 10/30/2004 1:36:34 PM PDT by Bon mots
[ Post Reply | Private Reply | To 3 | View Replies]

To: BearWash

Opera shows Google/Google under both W98SE and Mandrake 9.2 (as expected), as does Konqueror under Mandrake. The mouseover popup in Opera isn't even fooled; it says Google too. Don't have any versions of ignorance exploiter to try it out on :-) Poor ie users. Poor microsoft victims.


19 posted on 10/30/2004 1:39:35 PM PDT by surtcaldera (Adding to the vastness of the rightwing conspiracy, one post at a time)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Bon mots
Try installing Spoof Stick
20 posted on 10/30/2004 1:42:15 PM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 18 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-4041-6061-73 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson