New IE 6 browser flaw
IE 6.0 users could be in trouble again, this time by being tricked into divulging sensitive information, or downloading and executing malware on their systems, says Secunia, a Danish IT-security service provider.
Secunia, which has pin-pointed other serious chinks in Microsoft armour, says the vulnerability allows a fake URL to be displayed in the address bar, going on that although it’s been confirmed in IE 6.0, prior versions may also be affected.
Microsoft is already in the news because automatic teller machines at two banks running its Windows software were infected by a computer virus.
This latest threat is caused by an input validation error which can be exploited by including the "%01" URL encoded representation after the username and right before the "@" character in an URL, says Secunia here.
"Successful exploitation allows a malicious person to display an arbitrary FQDN (Fully Qualified Domain Name) in the address bar, which is different from the actual location of the page," it says. "This can be exploited to trick users into divulging sensitive information or download and execute malware on their systems, because they trust the faked domain in the address bar."
Example? You’d see http://www.trusted_site.com in the address bar when the real domain is malicious_site.com:
http://www.trusted_site.com%01@malicious_site.com/malicious.html
A test is available at:
http://www.secunia.com/internet_explorer_address_bar_spoofing_test/
NOTE: It’s also possible to hide the real domain name in the IE status bar by also including a NULL byte ("%00") in the URL before the "@" character, says Secunia.
What can you do?
"Filter malicious characters and character sequences in a proxy server or firewall with URL filtering capabilities," it adds, and "Don’t follow links from untrusted sources."
