Internet Explorer Spoofing Vulnerability Found

By Matthew Hicks  |  Posted 2003-12-10 Print this article Print

Users could be lulled into providing sensitive information through a Internet Explorer browser vulnerability that allows fake URLs to obscure the real domain.

A new vulnerability discovered this week in Internet Explorer could allow for the spoofing of URLs in the Web browsing, potentially putting users sensitive information at risk. Security researchers confirmed a vulnerability in Internet Explorer 6 that could let an attacker display a fake URL in the browsers address bar in an attempt to disguise the real domain, according to a security bulletin released on Tuesday by Danish security company Secunia Ltd. Using the security hole, an attacker could trick users into providing sensitive information or download malicious software by leading them to think that they are visiting a trusted site, the advisory said.
Secunia rated the vulnerability as "moderately critical." A Microsoft spokesperson on Wednesday said that the company knows of no exploits of the reported hole or of any users being affected but said in a statement that it is "aggressively investigating the public reports."
Microsoft may provide a fix through its monthly patch release cycle or a separate patch, depending on the outcome of the investigation, the spokesperson said. Earlier this week, however, Microsoft said that it would not release any security bulletins for the month of December. See what eWEEK columnist Brian Livingston has to say about Microsofts patch release schedule.

Secunia, in its advisory, said that IE allows spoofing because of an input validation error. To fix the gap, the advisory suggests that users turn on URL filtering capabilities in a proxy server or firewall to block malicious characters and character sequences and to avoid clicking Web links unless they are from a trusted source.
Matthew Hicks As an online reporter for, Matt Hicks covers the fast-changing developments in Internet technologies. His coverage includes the growing field of Web conferencing software and services. With eight years as a business and technology journalist, Matt has gained insight into the market strategies of IT vendors as well as the needs of enterprise IT managers. He joined Ziff Davis in 1999 as a staff writer for the former Strategies section of eWEEK, where he wrote in-depth features about corporate strategies for e-business and enterprise software. In 2002, he moved to the News department at the magazine as a senior writer specializing in coverage of database software and enterprise networking. Later that year Matt started a yearlong fellowship in Washington, DC, after being awarded an American Political Science Association Congressional Fellowship for Journalist. As a fellow, he spent nine months working on policy issues, including technology policy, in for a Member of the U.S. House of Representatives. He rejoined Ziff Davis in August 2003 as a reporter dedicated to online coverage for Along with Web conferencing, he follows search engines, Web browsers, speech technology and the Internet domain-naming system.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel