X
Government

Microsoft: URL spoofing is not a security risk

Microsoft has rejected claims from security researchers that a recently discovered spoofing technique on Internet Explorer is a security vulnerabilityThe software giant accepted the possibility that spoofing could occur on version six of IE, but rejected claims that this was a security flaw.In a prepared email statement from the company, a spokesperson said: "Microsoft is aware of a security issue reported last week that could allow spoofing the URL a user sees in Internet Explorer's status bar.
Written by Dan Ilett, Contributor
Microsoft has rejected claims from security researchers that a recently discovered spoofing technique on Internet Explorer is a security vulnerability

The software giant accepted the possibility that spoofing could occur on version six of IE, but rejected claims that this was a security flaw.

In a prepared email statement from the company, a spokesperson said: "Microsoft is aware of a security issue reported last week that could allow spoofing the URL a user sees in Internet Explorer's status bar. Users could see a URL in the status bar when the mouse hovers over the link on a webpage, but clicking the link would take the user to a different URL. Our investigation has indicated that this is not a security vulnerability."

Last week, a researcher in Germany, Benjamin Tobias Franz, posted warnings on bulletin board Web site Bugtraq, stating that Internet Explorer could spoof links if users put two URLs and a table inside an HTML 'href' tag.

The result, Franz claimed, was that malformed links to URLs could take users to an entirely different Web site without their knowledge.

This technique could be used for spoofing - a way of making users think they are visiting their chosen Web site when they are in fact looking at a 'spoofed' site.

Spoofing techniques are frequently used in phishing scams -- emails that attempt to steal user information by purporting to be from legitimate organisations.

But Microsoft said that a large amount of social engineering would need to take place if victims were to fall for such attacks: "An attacker would need to entice a user to visit a site, and then entice the user to click a link on that site based on the URL that appears in the Internet Explorer's status bar.

"Once on the destination site, the user would need to be enticed by the attacker to take some action, such as disclosing confidential financial information, without the user noticing that the URL in the address bar does not match the URL that the user thought he [or] she was visiting," the statement said.

Microsoft advised users to check that the URL in the browser address bar was the intended destination before going to the site. Franz and Microsoft agreed that Windows XP SP2 is unaffected by the issue.

Microsoft added: "[We] will evaluate the feasibility of implementing similar changes on earlier versions of Windows in the future."

On the Bugtraq Web site, Franz said that HTML e-mail messages were vulnerable to the technique, so Microsoft Outlook Express was also affected. Franz wrote that users should avoid non-trusted links, or right-click on links to see the real target.

According to security firm NetCraft, Mozilla Firefox users are not affected by the issue.

Editorial standards