And another IE flaw...

A new Internet Explorer flaw is out... according to Netcraft, a new spoofing flaw in IE allows an improperly coded web link to send users to a different URL than the one displayed in the status bar.

If you try to create an URL with an HTML like this:

<a href="http://www.microsoft.com/"><table><tr><td><a
href="
http://www.demiliani.com/">Click here to go to Microsoft Website</td></tr></table></a>

you obtain this result:

Click here to go to Microsoft Website

As you can see (if you don't have XP SP2 installed), your browser displays "microsoft.com" on the status bar, but you're redirect to my personal website... an easy way to redirect where you want, accessible to all that know a little bit of HTML.

The flaw affects versions of IE up to 6.0.2800.1106 and users running Windows XP SP2 (IE version 6.0.2900) and the open source Firefox and Mozilla browsers are not affected.

I hope on a patch because there are a lot of machines that have not installed XP SP2...

UPDATE: also Firefox has a flaw like this...

If you try to create an URL with this format:

<a href="http://www.microsoft.com/"><table><tr><td><a href="http://www.demiliani.com/">Click here to go to Microsoft Website</a></td></tr></table></a>

you obtain this link:

Click here to go to Microsoft Website

If you try to open the link on the current TAB on Firefox, it works correctly and you are redirect to Microsoft.com, but if you try to open the link on a new TAB, you are redirect to my personal website.

I hope that the new Firefox version attended for the 9th of November will be patched. 

Print | posted on Saturday, October 30, 2004 1:16 PM