Internet Explorer URL hiding vulnerability

I picked this up on the security lists yesterday and played around with it a bit.

There's a vulnerability in IE that allows someone to craft a URL making it appear to be somewhere else.. in other words when you look at the address bar or hover on the link, you'll see the name of the site you think you're at.. but you will be at another page. Obviously this is important because of the number of social engineering scams that can use this (think of people going to pages they think are ebay or paypal)

If you wanna check this out, copy the following code into a text document and save it as .html then open it in IE.. hover on the link and see where it says its taking you.. then click the link.. and notice that you're not actually where you think you are

[code:1]
<html>
<body>
<a href="http://www.google.com%00@tftfotw.blogspot.com">Google</a>
</body>
</html>

[/code:1]

Some people are saying this is a trivial issue.. i disagree, because its very hard to detect unless you look at the source or notice what IP you're connected to... both very unlikely situations.

When was this vulnerability posted in the security lists Sahir ?

I must agree with you that its not a trivial issue!! Has Microsoft come up with any patch for it ?

Chris, I caught the vulnerability a day before I posted.. in other words on the 12th.

So far I haven't seen any word of a patch... Microsoft had also said that they wouldn't be releasing any patches in December.. but they've already had to release at least one.

I figure we'll be seeing an IE cumulative patch pretty soon.. if i notice it I'll post a link.

For those of you who didn't try out the vulnerability above, you can check out a working version at my blog. Heres a direct link to the post
tftfotw.blogspot.com/2003_12_01_tftfotw_...l#107126717526620477

It will appear to take you to www.google.com and it actually brings you to firewall.cx :)

Cheers,

OMG! this is the end of the world as we know it! not really, i read the post and thought..hmm not that bad, and then i tried "googling" firewall.cx... this does not bode well!

man....i want to know how microsoft defines 'trivial'.....u can send surfers on a roller coaster ride to hell using this one....i remember there wuz this method where u wud make a fake page (yep phishing) imitating the hotmail page...n pray the user enter his password without noticing the url.....now it duznt matter if he notices the url.... :twisted: .....