Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6
Description:
A vulnerability has been identified in Internet Explorer,
which can be exploited by malicious people to display
a fake URL in the address and status bars.
The vulnerability is caused due to an input validation
error, which can be exploited by including the "%01"
and "%00" URL encoded representations after the username
and right before the "@" character in an URL.
Successful exploitation allows a malicious person to
display an arbitrary FQDN (Fully Qualified Domain Name)
in the address and status bars, which is different from
the actual location of the page.
This can be exploited to trick users into divulging
sensitive information or download and execute malware
on their systems, because they trust the faked domain
in the two bars.
Example displaying only "http://www.trusted_site.com"
in the two bars when the real domain is "malicious_site.com":
http://www.trusted_site.com%01%00@malicious_site.com/malicious.html
The vulnerability has been confirmed in version 6.0,
and version 5.x is also affected according to Microsoft's
knowledge base article.
Solution:
Click on the following link to download and install the IE URL Spoofing Vulnerability Patch.
Reported by / credits:
Originally discovered by:
Zap The Dingbat
Status bar variant reported by:
Chris Hall
Changelog:
2003-12-11: Linked to test. Added information regarding
variant, which makes it possible to spoof URL in the
status bar as well.
2003-12-14: Microsoft has issued a knowledge base article
concerning the issue. This also reports that version
5.x is affected.
2003-12-14: Released IEpatch to fix URL Spoofing Vulnerability.
2003-12-20: Released revised IEpatch version 2.0. Fixed all known errors.
2003-12-27: Released final revised version 3.0, which redirects blocked pages to a local file.
Trojan and / or Worm loaders
Trick unsuspecting users into downloading harmful viruses
by disguising them as legitimate security updates.
Users' comments
Fake Earthlink request for billing info E-mail from <account
verification976@ geocites.com> sent this weekend....your
patch blocked it...Thanks for fixing what Microsoft chose
not to.
-Dan Leinenbach,
US Attorney's Office, Virgin Islands