Good Day,

Info for pre SP2 IE 6.0.2900 users:

Bugtraq: New URL spoofing bug in Microsoft Internet Explorer

From: 0-1-2-3_at_gmx.de
Date: Oct 28 2004

New URL spoofing bug in Microsoft Internet Explorer

There is a security bug in Internet Explorer 6.0.2800.1106 (fully patched), which allowes to show any faked target-address in the status bar of the window.

The example below will display a faked URL ("http://www.microsoft.com/") in the status bar of the window, if you move your mouse over the link.

Click on the link and IE will go to "http://www.google.com/" and NOT to "http://www.microsoft.com/" .

<a href="http://www.microsoft.com/"><table><tr><td><a
href="http://www.google.com/">Click here</td></tr></table></a>

Description: Microsoft Internet Explorer can't handle links surrounded by a
table and an other link correct.

The bug can be exploited using HTML mail message too.

Affected software: Microsoft Internet Explorer, Microsoft Outlook Express, ...

Workaround: Don't click on non-trusted links. Or right-click on links to see the real target. Or use Copy-and-Paste.

Regards,
Benjamin Tobias Franz
Germany


Bugtraq

Netcraft

The good news: Windows XP SP2 (IE version 6.0.2900), Firefox, and Mozilla browsers are not affected.

cheers

edit: Yep it works on IE 6.0.2800.1106