Technology Tutorial

Fix MSIE URL Spoof

Scenario:
Clicking on a link contained within an email, document or other rich file acceses launches Microsoft Internet Explorer (MSIE). MSIE gives all outward indications that the intended site was reached, but in reality the Browser was redirected to a different web address (URL).

Cause:
A documented flaw in all versions of MSIE prior to version 6.0 with Service Pack 1 makes blind redirection (hijacking) possible. This hijacking can direct MSIE to a site containing malicious code that can take advantage of other flaws within MSIE itself, the underlying Operating System, or both. Later versions of MSIE still support some forms of redirection.

The spoof uses a link that is crafted to look like it will access a specific Web Page, while coded to load a completely different URL. It is accomplished with the inclusion of a non-printing character in the link. To illustrate the spoof, click on the two buttons below and pay attention to the browser's address bar:



The "Normal" button always loads a specially prepared demonstration page correctly, while the "Hijacked" button attempts to do so using the aforementioned flaw. If the browser is not vulnerable, the page will not load.

Solution:
The obvious best solution is to not use Microsoft Internet Explorer at all! However, that is not always possible. The spoof will always happen if the version of MSIE predates version 6.0.2800.1106, which claims to correct the flaw. However, that does not mean a later release of MSIE might not reintroduce it.

Given that the spoof hides the redirected URL, the most expedient solution is to never click on links embedded in emails or documents. Rather, copy/paste the URL (<Ctrl>+C/ <Ctrl>+V) into the Browser's address bar. While tedious, it is the safest solution in the long run.

You can also verify the legitimacy of a URL by running a search against the URL, or through the following JavaScript command:

javascript:alert('Displayed URL:\t' + location.protocol + '//' + location.hostname + '/' + '\nActual URL:\t' + location.href + '\n\nIf the server names do not match, this may be a spoof.');

To check the version of MSIE that is in use, click Help | About and check the version information. An updated instance of MSIE will have a version number higher than 6.0.2800.1106 and include Service Pack 1 (SP1) in the update versions list.

For more information, consult Article KB833786 in the Microsoft Knowledgebase.


Copyright ©2004 - 2025, Design ...by Graf!"