Recent posting by Microsoft into the newsgroups....

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_PACBELL.NET)
Date: 12/13/03

  • Next message: James C. Slora Jr.: "Re: IE URL obfuscation" 
    Date:         Sat, 13 Dec 2003 10:14:50 -0800
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    "Microsoft is investigating new public reports of a possible vulnerability
    in Internet Explorer which could enable a malicious hacker to spoof a web
    site address.

    The problem occurs because it is possible for an attacker to create a URL
    link that uses a special character. This malformed link can force Internet
    Explorer to display an incorrect URL in the address bar. An attacker could
    attempt to use this in conjunction with a "spoofed" web site to make it
    more difficult for a user to identify the true address of the web site. An
    attacker could attempt to exploit this by creating a malformed link and
    posting it on a web site or sending it in HTML e-mail. The user would have
    to click on the link. Once the user clicked on the link, they would be
    taken to the attacker's web site which would display an address of the
    attacker's choice in the address bar.

    Microsoft is working with customers to ensure their information is
    protected. Microsoft is working to develop a Knowledge Base article that
    provides customers with guidance on how to identify "spoofed" sites
    including sites that are that are accessed using links that exploit this
    issue. Microsoft Product Support has also successfully helped and is
    continuing to help customers who believe they have clicked on links that
    exploit this issue.

    When completed, this information will be available at
    http://support.microsoft.com/?id=833786

    In addition, customers who are concerned about this issue can take the
    following steps to help mitigate this issue:

    - Ensure that web sites are using SSL/TLS before entering sensitive
    information by verifying the presence of a gold
    lock icon in the lower right corner of the Internet Explorer window.
    - Read E-mail Messages in Plain Text: This will show the full hyperlink,
    allowing users to inspect the hyperlink
    that Internet Explorer will use.

    In addition, customers can generally improve the security of their online
    experience by using the Security zone features in Internet Explorer in the
    following ways:

    - Set Browser Security to High
    - Add Safe Websites to Trusted Sites

    Note that customers should test setting browser security to high as it does
    change Internet Explorer functionality.

    Customers who want to verify the address of the page they are viewing can
    use a JScript command to verify the URL or use the History pane in Internet
    Explorer to display the URL of the web site.

    To verify the URL using JScript:

    1. In the Address bar enter either by type:
    javascript:alert("Actual URL: " + location.protocol + "//" +
    location.hostname + "/"); 2. Compare the URL listed in the dialog with the
    URL displayed in the folder above the currently highlight web page
    in the History pane. If they do not match, then the site is
    misrepresenting itself and you should leave the
    site by closing the browser.

    To view the URL of the current page in the History pane of Internet
    Explorer:

    1. If the History pane is currently open, on the toolbar, click the History
    button (the button with the circular
    green arrow) to close the History pane.
    2. On the toolbar, click the History button to open the History pan.
    3. If the address of the web site is not visible in the History list, click
    the arrow next to the View button at the
    top of the History bar and select "By Date" or "By Site".
    4. In this History pane on the left side, the URL of the site hosting the
    page is highlighted in the folder above
    the page.
    5. Compare the URL in the Address bar with the URL displayed in the folder
    above the currently highlight web page in
    the History pane. If they do not match, then the site is misrepresenting
    itself and you should leave the site
    by closing the browser.

    Microsoft is committed to keeping customers' information safe and upon
    completion of investigating the problem, Microsoft will take the
    appropriate action to protect its customers and decide whether providing a
    fix and additional mitigation information is warranted." 

    --
http://www.sbslinks.com/really.htm
-----
Want to reply to the person who sent this message?
This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
-----
  • Next message: James C. Slora Jr.: "Re: IE URL obfuscation"