At 15:33 -0800 2003-12-12, Aron Roberts wrote:
> A vulnerability in Internet Explorer 6.0 for Windows (at least),
>reported earlier this week, may allow miscreants to spoof of the URL
>that appears in the Address field at the top of the browser window,
>as well as in the status bar in the bottom of the window. ...
>
> The exploit is simple. When clicking the URL:
>
> http://www.trusted_site.com%01%00@malicious_site.com/
>
>you will actually be taken to <http://malicious_site.com>, but the
>URL will appear in Internet Explorer's Address field and status bar
>as <http://www.trusted_site.com>.
Microsoft has now posted a Knowledge Base article confirming this
vulnerability in IE, and offering a set of work-arounds users can
perform to verify the URLs of the websites they're visiting:
"Steps that you can take to help identify and to help protect yourself
from deceptive (spoofed) Web sites"
http://support.microsoft.com/?id=833786
This article also confirms that this vulnerability affects IE 5.01
through 6.0. Presumably this will be patched at some point ...
Aron Roberts
Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Thu Dec 18 09:38:14 2003
This archive was generated by hypermail 2.1.8 : Thu Dec 18 2003 - 09:38:14 PST