Channel News and Analysis - Channel Insider

 


Convergence:
The Next
Security Wave
The convergence of physical and logical security isn't a new idea, but largely untapped by solution providers. Groups like 1nService and PSA Security are bringing these largely segmented channels together for this $7 billion market opportunity.
 

New IE Flaw Spoofs URLs

DATE: 2004-10-31
By Larry Seltzer

Article Rating:starstarstarstarstar / 0

Rate This Article:
Poor Best
Add This Article To:
Two exploits using malformed HTML bring users to different Web sites than the ones indicated in the browser's status bar. A lesser variant affects Mozilla.

A series of HTML-based exploits allow a malicious HTML programmer to direct a user to a different Web site than the one indicated in the user's browser status line.

Two separate but similar issues affect Internet Explorer. The first, reported by Benjamin Franz of Germany on the Bugtraq mailing list, involves an improper mixture of anchor and table tags, with links to two different sites.

On fully-patched Windows systems prior to Windows XP SP2, users hovering over the link will see one URL in the status bar, but when they click on the link, they will be taken to a different address. On Windows XP SP2, clicking on the link brings the user to the same address indicated in the status line. Users hovering just below the link will see the second address, but clicking in this area does not change the browser location.

The second report, also reported on Bugtraq, is by the well-known malware researcher http-equiv. The effect is similar to the first, but the bug works on fully-patched Windows XP SP2 systems. The technique involves the mixture of an empty anchor tag and a form tag with both an action statement indicating one address and an input tag with the type of submit and a value of the other address, all in the presence of a base href tag indicating the second address.

Click here to read about another bug that allows programs to be planted and executed on fully-patched SP2 systems.

The significance of either bug is questionable, as the same effect has long been possible using JavaScript and other techniques.

Mozilla is not generally subject to these attacks, but others have observed that in some of these attacks, if the user Ctrl-clicks to load the link in a separate tab, that tab will load the second address not indicated by the status line.

Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.

Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page



Discuss New IE Flaw Spoofs URLs
 
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Channel News and Analysis Articles          >>> More By Larry Seltzer
 



 
CHANNEL DEEP DIVES
CareersLinux and Unix
Computer NetworkingPrinters
SecuritySMB Partner
StorageSurveys
Solution BuilderMessaging/Collaboration
Dell ResellersMicrosoft Partners

 
 

SIGN UP FOR CHANNEL INSIDER NEWSLETTERS
Reliable, timely information on the business of technology. Sign up now.

RSS SUBSCRIPTIONS
XML
Add Channel News, Product Reviews, Trends and Analysis to your RSS newsreader or My Yahoo!

ZDE Services
> Ziff Davis White Paper Library

> Baseline ROI Calculators

> eWEEK Labs RFPs and Tools

 
CHANNEL RESOURCE CENTER
HP StorageWorks Scalable NAS is highly available, scalable network-attached storage for any industry solution. To learn how you can take full advantage of fault-tolerant NAS that seamlessly scales capacity and performance, visit: http://www.hp.com/go/scalablenas


Feature Video: What Can Green Do For You?
There are many ways that systems can be run faster or more efficiently, using less energy and thereby reducing costs. Watch now!
Microsoft-hosted solution offers you advanced customer relationship management capabilities without a major investment in IT and staffing.
Try It for free for 30 days!
 

 
   Sponsored Links     
 

  • Check Point Security Appliance Trade in Promotion
  • Increase efficiency with Dell PartnerDirect
  • Avoid the crash. Arm your Road Warriors with SSD
  • Get FREE online training modules from BlackBerry.
  • Bundles with room to grow and room to go!
  • Free BlackBerry(R) Training Tour. Win a Smartphone.
  • Request a Novell/Microsoft deployment kit.
  • Improve the customer experience with Dialogue
  • Meet the demand for green technology with HP desktops
  • Download the “Best Antivirus Product of 2007”


    •    Channel Insider      Contact Us | Advertise | Site Map | VARs | System Builder
    eWEEK Quick LInks Storage Devices | Networking Security | Network Infrastructure | Wireless Networking | Database Management Systems | PC Desktops | Web Programming | Enterprise Solutions Linux Operating Systems | Mac Operating System | Mobile Messaging | Internet Telephony Microsoft Windows News | Google Watch | IBM Watch

    Ziff Davis Enterprise Home | Contact Us | Advertise | Link to Us | Reprints | Magazine Subscriptions | Newsletters
    Tech RSS Feeds | White Papers | ROI Calculators | Tech Video

    Baseline | Careers | Channel Insider | CIO Insight | DesktopLinux | DeviceForge | DevSource | eSeminars |
    eWEEK | Enterprise Network Security | LinuxDevices | Linux Watch | Microsoft Watch | Mid-market | Networking | PDF Zone |
    Publish | Security IT Hub | Strategic Partner | Web Buyer's Guide | Windows for Devices

    Developer Shed | Dev Shed | ASP Free | Dev Articles | Dev Hardware | SEO Chat | Tutorialized | Scripts |
    Code Walkers | Web Hosters | Dev Mechanic | Dev Archives | igrep

    Use of this site is governed by our Terms of Use and Privacy Policy

    Copyright ©1996-2008 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. Channel Insider is a trademark of Ziff Davis Enterprise, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise, Inc. is prohibited.