Internet Explorer URL Display problem

[Martin Sapsed]

Hi all,

I've received this via the UK academic network security team.

--------------

An issue was identified yesterday with Internet Explorer and the way it
displays URLs in the address bar.

 >From the original Bugtraq posting:

"By opening a window using the http://user@domain nomenclature an
attacker can hide the real location of the page by including a 0x01
character after the "@" character. Internet Explorer doesn't display the
rest of the URL making the page appear to be at a different domain. "

Proof of Concept http://www.zapthedingbat.com/security/ex01/vun1.htm

This is particularly pertinent given the recent spate of emails from
fraudulent online banking sites, such as those pretending to be Natwest.
This problem makes these types of scams a great deal harder for end
users to spot, as it is now possible to have eg www.natwest.com appear
in the address bar when the end user is looking at a fraudulent site.

There is as yet no fix from Microsoft for this issue, nor is there a
workaround for Internet Explorer. As soon as one becomes available we'll
let you know.

-------------

Would I be right in thinking that the only way MailScanner could do
anything about this type of thing in an e-mail would be to use MCP or
would a simple addition to the SpamAssassin rules do the trick? I guess
though if you modify the normal SA rules you might end up marking it as
Spam whereas actually, you want to identify it as malicious.

Any thoughts anyone?

Cheers,

Martin

--
Martin Sapsed
Information Services               "Who do you say I am?"
University of Wales, Bangor             Jesus of Nazareth