Interesting People mailing list archives
more on (seems it is not just IE -- ) MSFT: don't click on links, type them in by hand
From: Dave Farber <dave () farber net>
Date: Fri, 30 Jan 2004 15:36:08 -0500
Delivered-To: dfarber+ () ux13 sp cs cmu edu Date: Fri, 30 Jan 2004 14:13:34 -0500 (EST) From: Bruce Campbell <bc () clicknation com> Subject: Re: [IP] [Boing Boing Blog] MSFT: don't click on links, type them in by hand To: dave () farber net > MSFT now advises its > users to not click links, but rather to type them in by hand: > > The most effective step that you can take to help protect yourself from > malicious hyperlinks is not to click them. Rather, type the URL of your > intended destination in the address bar yourself. By manually typing > the URL in the address bar, you can verify the information that > Internet Explorer uses to access the destination Web site. To do so, > type the URL in the Address bar, and then press ENTER. > > Or, you could, you know, just Download Mozilla. > > Link: http://support.microsoft.com/default.aspx?scid=kb;%5Bln%5D;833786 > Fun as it is to bash Microsoft (I personally use Mac and Linux), this vulnerability is also present in Mozilla, so Mr. Link's solution fails on its merits. I set up a web page using the precise exploit as described in the Microsoft web site above. Mozilla Firebird 0.7.1 handles it in exactly the same manner as Explorer, showing a false URL in the status bar. To see what's happening, the page is at http://www.clicknation.com/testdir/ It shows a link to wingtiptoys.com but will actually redirect to my blog. There are many more elaborate spoofs that can use this same technique, but it seems to be more a general industry issue than just a Microsoft problem. This one could make the Internet a very nasty, dangerous neighborhood indeed. And the Microsoft solution detailed above is NO SOLUTION AT ALL. I'd be interested in knowing what browsers/mail readers fail the test. Bruce Campbell bc @ clicknation.com The Snoofmadrune Weblog www.clicknation.com/snoof ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on (seems it is not just IE -- ) MSFT: don't click on links, type them in by hand Dave Farber (Jan 30)