Microsoft IE Crafted Elements Status Bar URL Spoofing

2006-02-16T09:58:17
ID OSVDB:23609
Type osvdb
Reporter Ken Hollis(gandalf@digital.net)
Modified 2006-02-16T09:58:17

Description

Vulnerability Description

Microsoft Internet Explorer contains a flaw related to the information displayed in the status bar that may allow an attacker to spoof the information in the status bar when a user mouse overs a link. The user might be tricked into believing the link leads to a different page leading to potential phishing attack.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Microsoft Internet Explorer contains a flaw related to the information displayed in the status bar that may allow an attacker to spoof the information in the status bar when a user mouse overs a link. The user might be tricked into believing the link leads to a different page leading to potential phishing attack.

Manual Testing Notes

The spam message referred to in http://www.securityfocus.com/archive/1/archive/1/425298/100/0/threaded was saved in a html file and opened with Microsoft Internet Explorer 7 Beta3. The status bar did not show the spoofed, but the real url.

References:

Mail List Post: http://www.securityfocus.com/archive/1/archive/1/425386/100/0/threaded Mail List Post: http://www.securityfocus.com/archive/1/archive/1/425883/100/0/threaded Mail List Post: http://www.securityfocus.com/archive/1/archive/1/425298/100/0/threaded ISS X-Force ID: 17938 CVE-2006-0799 CERT VU: 702086 Bugtraq ID: 11565