Windows XP SP2 (IE 6.0.2900.2180.xpsp_sp2_rtm.040803-2158) Has no problem - the status bar says Google and the click goes to Google Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer larryseltzer@xxxxxxxxxxxxx -----Original Message----- From: 0-1-2-3@xxxxxx [mailto:0-1-2-3@xxxxxx] Sent: Thursday, October 28, 2004 5:38 PM To: bugtraq@xxxxxxxxxxxxxxxxx Subject: New URL spoofing bug in Microsoft Internet Explorer New URL spoofing bug in Microsoft Internet Explorer There is a security bug in Internet Explorer 6.0.2800.1106 (fully patched), which allowes to show any faked target-address in the status bar of the window. The example below will display a faked URL ("http://www.microsoft.com/";) in the status bar of the window, if you move your mouse over the link. Click on the link and IE will go to "http://www.google.com/"; and NOT to "http://www.microsoft.com/"; . <a href="http://www.microsoft.com/";><table><tr><td><a href="http://www.google.com/";>Click here</td></tr></table></a> Description: Microsoft Internet Explorer can't handle links surrounded by a table and an other link correct. The bug can be exploited using HTML mail message too. Affected software: Microsoft Internet Explorer, Microsoft Outlook Express, ... Workaround: Don't click on non-trusted links. Or right-click on links to see the real target. Or use Copy-and-Paste. Regards, Benjamin Tobias Franz Germany
