Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on (seems it is not just IE -- ) MSFT: don't click on links, type them in by hand

From: Dave Farber <dave () farber net>
Date: Fri, 30 Jan 2004 15:36:08 -0500

Delivered-To: dfarber+ () ux13 sp cs cmu edu
Date: Fri, 30 Jan 2004 14:13:34 -0500 (EST)
From: Bruce Campbell <bc () clicknation com>
Subject: Re: [IP] [Boing Boing Blog] MSFT: don't click on links,
 type them in by hand
To: dave () farber net

> MSFT now advises its
> users to not click links, but rather to type them in by hand:
>
> The most effective step that you can take to help protect yourself from
> malicious hyperlinks is not to click them. Rather, type the URL of your
> intended destination in the address bar yourself. By manually typing
> the URL in the address bar, you can verify the information that
> Internet Explorer uses to access the destination Web site. To do so,
> type the URL in the Address bar, and then press ENTER.
>
> Or, you could, you know, just Download Mozilla.
>
> Link: http://support.microsoft.com/default.aspx?scid=kb;%5Bln%5D;833786
>

Fun as it is to bash Microsoft (I personally use Mac and Linux), this
vulnerability is also present in Mozilla, so Mr. Link's solution fails on
its merits.

I set up a web page using the precise exploit as described in the
Microsoft web site above. Mozilla Firebird 0.7.1 handles it in exactly the
same manner as Explorer, showing a false URL in the status bar.

To see what's happening, the page is at

http://www.clicknation.com/testdir/

It shows a link to wingtiptoys.com but will actually redirect to my blog.

There are many more elaborate spoofs that can use this same technique, but
it seems to be more a general industry issue than just a Microsoft
problem. This one could make the Internet a very nasty, dangerous
neighborhood indeed.

And the Microsoft solution detailed above is NO SOLUTION AT ALL.

I'd be interested in knowing what browsers/mail readers fail the test.

Bruce Campbell

bc @ clicknation.com

The Snoofmadrune Weblog
www.clicknation.com/snoof

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: