Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Internet Explorer The Internet Bug Security

New URL Spoofing Bug in Pre-SP2 IE 266

An anonymous reader writes "According to Netcraft a new security flaw has been found in Microsoft Internet Explorer which makes it possible to spoof a URL with just some simple HTML code, by enclosing two URLs and a table within a single href tag. The user will be sent to one site, but the status bar will show a fake URL. The bug apparently affects IE and Outlook Express up to but not including SP2. Firefox and Konqueror seem unaffected."
This discussion has been archived. No new comments can be posted.

New URL Spoofing Bug in Pre-SP2 IE

Comments Filter:
  • by MrP- ( 45616 ) <jessica@supjessi ... com minus distro> on Saturday October 30, 2004 @12:43PM (#10672978)
    Just tested it with Opera 7.54, it's unaffected also.
  • by dereklam ( 621517 ) on Saturday October 30, 2004 @12:44PM (#10672988)
    This exploit also affects Safari 1.2.3 on Panther.
    • by v1 ( 525388 ) on Saturday October 30, 2004 @12:52PM (#10673047) Homepage Journal

      Doesn't appear so here.

      I just tested their spoof http://news.netcraft.com/archives/2004/10/29/new_u rl_spoofing_flaw_found_in_internet_explorer.html [netcraft.com] with Safari 1.2 (v125) and it shows 'google.com' in the address bar. I also tested Internet Explorer 5.2.3 on my mac and it also shows 'google.com' in the address bar.

      So it would appear that the mac is (at least for the two main browsers of choice) not affected by this security hole.
      • by quacking duck ( 607555 ) on Saturday October 30, 2004 @01:02PM (#10673129)
        Just tried it myself on Safari v125.9 on 10.3.5; unfortunately the spoof worked.

        Hovering over the actual link showed microsoft.com in the status bar, but clicking it did indeed go to google.

        However, I can click outside the link on the same line (thanks to the table spanning the entire width of the article box), and it'll go to microsoft.com as indicated in the status bar when howevering over the line.
    • Though another poster claims Safari isn't affected by this, I was able to replicate the vuln in Safari 1.2.3 (v125.9). So it appears that the other posters are incorrect. Firefox is unaffected, Internet Explorer show 'http://www.microsoft.com' when the cursor has changed to the link finger but shows 'http://www.google.com' when the cursor is over the link text. Opera for Mac displays the same oddities as IE. OmniWeb for Mac also does this, however, the space in which is displays the spoofed address is on
  • Patch (Score:3, Funny)

    by Anonymous Coward on Saturday October 30, 2004 @12:45PM (#10672991)
    Patch available here [mozilla.org]
    • Re:Patch (Score:5, Funny)

      by Anonymous Coward on Saturday October 30, 2004 @01:04PM (#10673154)
      [microsoft.com] http://www.microsoft.com [mozilla.org]
    • Re:Patch (Score:3, Informative)

      by Jeff DeMaagd ( 2015 )
      Some could say that one should update to service pack 2, but IIRC, there are just as many W2k installations as there are XP installations.
      • Yep. I am a big firefox evangelist for windows, but SP2 is the Firefox killer in many ways.

        That said, there are lots of 98 and 2K installations. There are lots of XP people sick of spyware or are curious about tabs, handy extensions, etc. Or at just worried about security. Computers arent these things in our living room anymore, they are our central digital hub. They have our work, photos, taxes, etc on them. Using IE is like driving drunk. Lots of XP users are slowly coming to realize this.

        The really
      • W3 Schools suggests it is about 58% XP, 25% W2K. Browser and Platform Statistics [w3schools.com] Win 98's share is 6%, Linux 3%, the Mac 3%.

        Looking at these numbers, migration to alternative browsers may have peaked before the release of SP2.

  • Safari (Score:4, Informative)

    by P-Nuts ( 592605 ) on Saturday October 30, 2004 @12:46PM (#10673002)
    Worryingly, Safari is also fooled by the bug - the status bar shows http://www.microsoft.com/ before you click on the link, but the address bar in the resulting window correctly shows http://www.google.com/.
    • Konkeror on KDE 3.3.1 draws a transparent table (the one faked on the link) around the link, being both (the link and a small space outside the text link) clickable, but with different destinations. The resulting window (either google or microsoft) has no spoofed url.
    • That is the same thing IE does.
  • The article says:

    "The flaw affects versions of IE up to 6.0.2800.1106 - which includes systems that haven't yet installed Windows XP SP2, but are current on all other critical updates from Windows Update - as well as the Safari browser for Macs."

    Is it just me, or is that a typo? My version of Safari (1.2.3 v125.9) seems to handle their sample malformed tag just fine, displaying www.google.com as it should. Can anyone confirm or deny whether Safari is affected by this problem?

    • Yes. Safari 1.2.3 (v125.9) is vulnerable on my fully patched (with the exception of the latest QT, as I'm something of an uptime whore) 10.3.5 machine. The status bar showed microsoft.com when hovering over the link on Netcraft's advisory page.

      And in launching Safari to check, I was reminded once more how much more smoothly it scrolls than Firefox. Damn shame, that.
    • Re:Safari Affected? (Score:3, Informative)

      by caerwyn ( 38056 )
      Safari *is* affected at 1.2.3 v125.9. Look at the status bar as you mouse-over the link before clicking; that's there the exploit is. This is not the same as previous exploits that showed a fake URL in the actual URL bar.

      The link says www.microsoft.com, mousing over it pops up www.microsoft.com in the status bar in the lower left corner of the window. Clicking the link results in a page at google (with google url in the URL bar).
    • Re:Safari Affected? (Score:4, Informative)

      by bmoore ( 106826 ) * on Saturday October 30, 2004 @12:59PM (#10673104) Homepage
      Interesting... VERY interesting... I also have Safari 1.2.3, v125.9. When I hover my mouse over the link, it shows www.microsoft.com in the status bar. If I click the link, I go to google, but if I r-click and choose "Open Link in New Tab" (or new window) I go to www.microsoft.com.

      Odd. Very odd. Hopefully Apple will arrange for some consistency in operation soon.
      • Same here, although even stranger is that I get the same behaviour as you when doing a ctrl+click -> 'Open in New Tab', but when using option+click to open in a new tab it goes to Google.
    • Some one please mod up the confirmations/denials of this
    • Before I click on their sample link, I get 'microsoft.com' in my status bar at the bottom of the window. So, I would say the attack works.
      Note that the address bar in the visiting window correctly shows google.com. Not sure that's the case with IE.
  • by grahamsz ( 150076 ) on Saturday October 30, 2004 @12:51PM (#10673034) Homepage Journal
    http://graha.ms/iesploit.html [graha.ms]

    Doesn't seem like anything that couldn't be done with javascript.

  • IE users.. (Score:5, Informative)

    by Xeo 024 ( 755161 ) on Saturday October 30, 2004 @01:00PM (#10673113)
    To test the URL simply right-click it and it'll display the real URL, if that doesn't work right-click it and go to properties.

    But your best bet would be to either update or switch to an unaffected browser.

  • What's worse? (Score:5, Interesting)

    by nile_list ( 812696 ) on Saturday October 30, 2004 @01:01PM (#10673116) Homepage
    What's worse? IE being vulnerable to spoofed URLs because of malformed HTML, or Firefox crashing because of the same thing?
  • by SILIZIUMM ( 241333 ) on Saturday October 30, 2004 @01:03PM (#10673141) Homepage
    Last january, Microsoft Advised to Type in URLs Rather than Click [slashdot.org]. You have been warned early, consider yourself lucky !
  • <table>
    <a href="http://www.google.com/">http://www.microsoft .com</td></tr></table></a>
  • Goatse... (Score:3, Funny)

    by SILIZIUMM ( 241333 ) on Saturday October 30, 2004 @01:06PM (#10673162) Homepage
    Too bad the original goatse.cx is down, that could be fun. "Hey Jim, check that financial report!"... At least we have mirrors...
  • by SnprBoB86 ( 576143 ) on Saturday October 30, 2004 @01:13PM (#10673231) Homepage
    With my SP2 system I naviagated to http://graha.ms/iesploit.html/ [graha.ms] and hovered over the link. This is what I discovered:

    If you place the mouse on the link it shows the link will take you to google as it should, but if you place the mouse just outside the link (I guess on the table border) it says microsoft. The kicker is, that when it says Microsoft, clicking the link will not do anything.
  • by goynang ( 680067 ) on Saturday October 30, 2004 @01:13PM (#10673232)
    Safari goes to the wrong URL too.

    Just tried the demo and ended up at Google rather than where the link looked like it should go.

  • Status bar? (Score:5, Insightful)

    by FearUncertaintyDoubt ( 578295 ) on Saturday October 30, 2004 @01:21PM (#10673301)
    I can see how this is a bug, and should be fixed, but how big of a security risk is it really? I think anyone aware enough to look at the status bar will probably look at the address bar in the browswer, which will show the real URL. So, yes, the status bar spoof might get someone to click, but they can't spoof the address bar, and a phishing scam would fall apart at that point.

    You might as well say that links themselves are a security risk, since a link that says "Microsoft Web Site" but really goes to goatse.cx is a dangerous spoof.

    • I think anyone aware enough to look at the status bar will probably look at the address bar in the browser, which will show the real URL.

      Tinyurl [tinyurl.com] has lots of good examples of how the astute user can still be burnt. If the status bar shows "microsoft.com/whatever/whenever" but the actual site has the usual garbage, the user will not be clued in. Indeed, the user may not even be able to see the root of the site through the three thousand character url which so many legitimate sites generate.

      Your example

      • A status bar that works is an important part of preventing that kind of fraud.

        If it's so important, why does Javascript allow you to put whatever you want in the status bar? Anyone can easily override the default behavior without an "exploit".

    • a phishing scam would fall apart at that point.

      Unless the URI is obscenely long as is often seen with many dynamically-rendered sites.

      http://it.slashdot.org/comments.pl?sid=127762&op=R eply&threshold=3&commentsort=0&tid=113&tid=128&tid =172&tid=1&mode=nested&pid=10673301

      On a 19" screen at 1280x1024 the end of this falls off the address bar.
    • Think more creatively. Suppose I wanted to infect a person's machine or otherwise. You could spoof them to go to microsoft.com for an update and instead they go to a site that contains the GDI exploit bug, or itself is a direct download to the mac rootkit. Or when full 2-byte domains are allowed, domains like mícrosoft.com can fool many people.
  • Big. Farking. Deal.
    Haven't these dorks heard about javascript's onMouseOver? Just go to fark.com and hover over the links.
    Neither works in FF, however! :)
  • According to Netcraft...

    So, does this mean IE is dying? I'm confused.

  • From the article, "The flaw is possible because Internet Explorer has difficulty processing improperly formed HTML". If browsers had been pickier from the start, and refused to try to render improper HTML, perhaps we wouldn't see this sort of bug so often. Of course, now everyone expects to be able to view sites no matter how bad the code, so a 'correct' browser wouldn't be popular. Maybe browsers should start flagging improper HTML as a security risk; might actually get some people's attention.
  • <a href="http://www.microsoft.com/"><table><tr><td><a
    href="http://www.google.com/">http://www.microso ft .com</td></tr></table></a>

    displaying http://www.microsoft.com in the browser, but sending the user to Google.

    Is it the <table> that does it or the nested <a> tags?
  • How ironic (Score:3, Interesting)

    by ptlis ( 772434 ) on Saturday October 30, 2004 @01:50PM (#10673484) Homepage
    IE's ability to parse anything meant it survived the problems which caused both Opera and Firefox to crash has also made this nastiness possible...
  • by ManuelKelly ( 446655 ) on Saturday October 30, 2004 @01:56PM (#10673525)
    Is something like this discovered by accident, or is some poor person sitting at a desk coding weird html all day to see what happens?
  • According to the article, Safari is affected. The Safari on my system (1.2.3 (v125.9)) is not, and that's up to date.
    • I have Safari 1.2.3 (v125.9). It is affected.

      It's kinda cool how if I click on the url, it goes to Google, if I click next to it, it goes to Microsoft. Surely, there's a practicle use for this (other than phishing).
  • Did anybody see the interesting example Netcraft gave for their webserver search?
  • Violates HTML4 ref (Score:3, Insightful)

    by mystik ( 38627 ) on Saturday October 30, 2004 @02:02PM (#10673568) Homepage Journal
    http://www.w3.org/TR/html401/struct/links.html#ede f-A [w3.org]

    According to the HTML4 ref @ w3, putting a table inside of an anchor-tag is illegal. Only inline tags may reside there, and a table is a block-level tag.

    Since ths means the browser's behavior is undefined, I hope they come up w/ a better fix ...
  • I put a test page [rr.com] up. There are two spoof tests on the page. The latest version of Firefox is not affected by either of them if you left click the link. However, if you middle click the first spoof test, Firefox takes you to the wrong site.
    • I tried this with both Safari and IE under OS X. In Safari, when I hovered over each link, the status bar showed both links as Microsoft. When I clicked the links, I went to Google, and the address bar showed Google.

      In IE, when I hovered over the links, it showed the links as Google and behaved the same as with Safari when I clicked on them.

      Very, very weird...

      • It is not really a _big_ security risk. It basically can just hide where the link will really take you. Once your there, you can see in the URL bar what site you are really at. URL address bar spoofs are more of a security risk since they hid the real address from the user. That is what made some Joe Users think they were at CitiBank, etc.

        The only thing this could be used for would be to send a user to a p0rn site without them knowing.

    • Per the comment of another user in this story, I tried hovering over the white space next to each link in Safari, and the status bar showed a link to Microsoft. Clicking the white space takes me to Microsoft. IE doesn't show any link at all there, but it does strange things with most of the rest of the text -- it underlines most of the page in blue, implying that it's a link, and it even shows it as a link in the status bar, but if you click on any part of the underlined text, the underlining disappears -

  • Very minor (Score:3, Interesting)

    by Jesus IS the Devil ( 317662 ) on Saturday October 30, 2004 @05:26PM (#10674799)
    This type of bug is very minor. I never trust what the status bar says on mouse-over of a link. With a little bit of javascript, it's easy to have it say whatever you want. Many sites already employ this. All it does is annoy me.

    The bottom line is, once you land on the site, what does it say in the address bar and the status bar then?

    One other thing, be careful of misleading domains that replace "1" with an "l" or vice versa.
  • The a href for userinfo's have .exe's in them and if you click the link on IE the second a href tag will open the executable.

"In my opinion, Richard Stallman wouldn't recognise terrorism if it came up and bit him on his Internet." -- Ross M. Greenberg