Microsoft has denied that a spoofing technique available on its Internet Explorer browser is a security vulnerability.
The software giant accepted the possibility that spoofing could occur on version six of IE, but rejected claims that this was a security flaw.
In a prepared email statement from the company, a spokesperson said: "Microsoft is aware of a security issue reported last week that could allow spoofing the URL a user sees in Internet Explorer’s status bar. Users could see a URL in the status bar when the mouse hovers over the link on a webpage, but clicking the link would take the user to a different URL. Our investigation has indicated that this is not a security vulnerability."
Last week, a researcher in Germany, Benjamin Tobias Franz, posted warnings on bulletin board Web site Bugtraq, stating that Internet Explorer could spoof links if users put two URLs and a table inside an HTML href tag.
The result, Franz claimed, was that malformed links to URLs, could take users to an entirely different Web site without their knowledge.
This technique could be used for spoofing – a way of making users think they are visiting their chosen Web site when they are in fact looking at a 'spoofed' site.
Spoofing techniques are frequently used in phishing scams -- emails that attempt to steal user information by purporting to be from legitimate organisations. But Microsoft said that a large amount of social engineering would need to take place if victims were to fall for such attacks: "An attacker would need to entice a user to visit a site, and then entice the user to click a link on that site based on the URL that appears in the Internet Explorer’s status bar," said the statement. "Once on the destination site, the user would need to be enticed by the attacker to take some action, such as disclosing confidential financial information, without the user noticing that the URL in the address bar does not match the URL that the user thought he [or] she was visiting."
The company advised users to check that the URL in the browser address bar was the intended destination before going to the site. Franz and Microsoft agreed that Windows XP SP2 is unaffected by the issue.
Microsoft added: "[We] will evaluate the feasibility of implementing similar changes on earlier versions of Windows in the future."
On the Bugtraq Web site, Franz said that HTML email messages were vulnerable to the technique, so Microsoft Outlook Express was also affected. Franz wrote that users should avoid non-trusted links, or right-click on links to see the real target.
According to security firm NetCraft, Mozilla Firefox users are not affected by the issue.
In order to post a comment you need to be registered and logged in
Log in or create your ZDNet UK account below
By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Membership FAQ
that comment bot is a nutter, it just referred me to the moderator on my own blog. shocked look. please help thank you Dava I'm afriad to...
24 minutes ago by dava4444 on Welcome to the new ZDNet UK community! Hi Rupert! Don't think I could fill the above shoes... but if your ever looking for a consumer rights Tech blogger..tip me the wink lol peace Dava
2 hours ago by dava4444 on Fancy working for ZDNet UK? Hi Rupert My photo is gone from my profile and I just got told i was a spammer by the comment bot. the navigation is gone for my profile. :O on...
2 hours ago by dava4444 on Welcome to the new ZDNet UK community!
With windows it is always more bloat, and a lot of that seems to be duplicated in various places. I've noticed that you will have freed space on...
8 hours ago by ator1940 on Can you believe it - 2765 kB will be freed?
Buzz My Stat : New search for http://www.zdnet.co.uk Take a look: http://www.buzzmystat.com/site/zdnet.co.uk
12 hours ago on Twitter by BuzzMyStat
Hi Jamie, I'm sorry your comment got caught in the spam filter. We use an industry standard blacklist for this. I suspect that the comment may...
16 hours ago by Karen Friar on Spam? Filter Changed?
Pop - Neither have I. Ever, under any circumstances. I'm much more accustomed to Windows slowly, but inexorably, consuming more and more disk...
17 hours ago by J.A. Watson on Can you believe it - 2765 kB will be freed?
Apple are currently pushing to get tv content on the iPad by April 3rd. This could possibly be seen as a spoiler for that announcement I suppose....
1 day ago by John Molloy
Hey - presume you mean something that builds on Apple's existing TV device? Apple have already had a couple of runs at building Apple TV and it's...
1 day ago by Andrew Donoghue on Google's TV timing may reveal more to come
Google, Sony, Intel may build TV project www.zdnet.co.uk/news/emerging-tech/2010/03/18/google-sony-intel-may-build-tv-project-40088359/
2 days ago on Twitter by BVE2011 70,0000 to 90,0000 computers? A very small number considering some of these botnets are in the millions, and there are so many of them operating,...
2 days ago by ator1940 on Microsoft says it decimated Waledac botnet I agree Roger, and why can't they write secure code? What will happen when they find stolen code in windows? They have a track record of...
2 days ago by ator1940 on Microsoft lashing out at Linux, open source Do you think it will really take days?
2 days ago by ator1940 on Microsoft previews Internet Explorer 9 with HTML 5 support
Wonder how many days it will take before somebody codes an exploitive hack for IE9?
2 days ago by Xwindowsjunkie on Microsoft previews Internet Explorer 9 with HTML 5 support
There are some really good people in Microsoft and I wonder, how embarassing it must be for them to see how the organisation behaves from it's...
2 days ago by roger andre on Microsoft lashing out at Linux, open source On further inspection, it looks like some things are missing, is it possible that there was a time lag between whatever state the site was in that...
2 days ago by J.A. Watson on Welcome to the new ZDNet UK community!
Ok. Now I'm getting annoyed. Previously I could just click on just about any item or comment I saw and get a reply box. How do I manage that...
2 days ago by Tezzer on ZDNet UK: faster, smarter, still IT all the way hey Roger. Think I have spotted a bug as when I click on my name it takes me to the same page as if I had clicked on "Edit Profile". i.e...
2 days ago by Andrew Donoghue on ZDNet UK - Now cleaner than an Archbishop's conscience
Great new look for ZDNET UK web-site http://bit.ly/9R5eAA to check it out @ZDNetUK #zdnet
2 days ago on Twitter by ajclarkeFor multi-store outlets, including retail, banking, grocery, gas, hospitality, convenience stores and others, reducing (or avoiding) the cost of in-store system support and maintenance while maintaining compliance with PCI and other requirements has become a strategic challenge.
Speaker: Dr. Chenxi Wang, Principal Analyst, Security and Risk Management, Forrester Research, Inc. As Enterprises are increasingly connected to the Internet and as hard organizational boundaries are fast disappearing, security professionals are facing fresh challenges in Enterprise computing.
This tutorial is for new MindManager users and teaches you how to get started, by creating maps, reading maps and organizing your information.
Talkback
Eudora has just put in a new feature. When you hover the mouse on a link that is suspicious, you get a warning. It is not perfect yet, but it seems that Microsoft could do the same thing in it's browser. This would help the "social engineering education".
5 Nov 04 16:59 Reply