Good Day,

Info for pre SP2 IE 6.0.2900 users:

Bugtraq: New URL spoofing bug in Microsoft Internet Explorer

Date: Oct 28 2004

New URL spoofing bug in Microsoft Internet Explorer

There is a security bug in Internet Explorer 6.0.2800.1106 (fully patched), which allowes to show any faked target-address in the status bar of the window.

The example below will display a faked URL ("") in the status bar of the window, if you move your mouse over the link.

Click on the link and IE will go to "" and NOT to "" .

<a href=""><table><tr><td><a
href="">Click here</td></tr></table></a>

Description: Microsoft Internet Explorer can't handle links surrounded by a
table and an other link correct.

The bug can be exploited using HTML mail message too.

Affected software: Microsoft Internet Explorer, Microsoft Outlook Express, ...

Workaround: Don't click on non-trusted links. Or right-click on links to see the real target. Or use Copy-and-Paste.

Benjamin Tobias Franz



The good news: Windows XP SP2 (IE version 6.0.2900), Firefox, and Mozilla browsers are not affected.


edit: Yep it works on IE 6.0.2800.1106