New IE Flaw Spoofs URLs

By Larry Seltzer  |  Posted 2004-10-31 Print this article Print

Two exploits using malformed HTML bring users to different Web sites than the ones indicated in the browser's status bar. A lesser variant affects Mozilla.

A series of HTML-based exploits allow a malicious HTML programmer to direct a user to a different Web site than the one indicated in the users browser status line. Two separate but similar issues affect Internet Explorer. The first, reported by Benjamin Franz of Germany on the Bugtraq mailing list, involves an improper mixture of anchor and table tags, with links to two different sites.

On fully-patched Windows systems prior to Windows XP SP2, users hovering over the link will see one URL in the status bar, but when they click on the link, they will be taken to a different address. On Windows XP SP2, clicking on the link brings the user to the same address indicated in the status line. Users hovering just below the link will see the second address, but clicking in this area does not change the browser location.

The second report, also reported on Bugtraq, is by the well-known malware researcher http-equiv. The effect is similar to the first, but the bug works on fully-patched Windows XP SP2 systems. The technique involves the mixture of an empty anchor tag and a form tag with both an action statement indicating one address and an input tag with the type of submit and a value of the other address, all in the presence of a base href tag indicating the second address.

Click here to read about another bug that allows programs to be planted and executed on fully-patched SP2 systems. The significance of either bug is questionable, as the same effect has long been possible using JavaScript and other techniques.

Mozilla is not generally subject to these attacks, but others have observed that in some of these attacks, if the user Ctrl-clicks to load the link in a separate tab, that tab will load the second address not indicated by the status line.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Be sure to add our security news feed to your RSS newsreader or My Yahoo page

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel