RE: New (19.10.05) MS-IE Url Spoofing bug (byK-Gen).

[Nick FitzGerald <nick () virus-l demon co uk>]

Scott Melnick to me:

> It has been that way for a long time. Sometime the underlined link is in
> the form of Click Here to be redirected. Phishing schemes have been
> using this in emails for a good long time as well. Especially the ebay
> account ones that I'm sure everyone has seen about account information.

"because "it works" does NOT mean that is how it is supposed to be...

And, even if "this is how it is supposed to be" by some or rather 
interpretation of some standard does not mean that we cannot question 
the desirability (or even the sanity) of that "standard" and/or of 
sticking to implementing it!

Even if this behaviour is "correct" (which seems entirely open to 
debate if you read the mess of responses), I will continue to argue 
that _this particular form_ of duping the user is so undesirable as to 
be a total misfeature AND SHOULD BE REMOVED on the grounds the standard 
is clearly totally bozoid in this case.

...

Oh, and I can't be sure, but I suspect that the phishing schemes you 
are referring to are actually those I see quite a lot using the "fool 
the status bar display of the destination URL with a broken MAP tag 
improperly embedded in an HREF" trick (which only works in IE, and 
maybe some versions of Opera).  If so, you are wrong again and the 
"problem" is not the HTML spec, or Javascript, or anything but total 
lack of concern for standards compliance in Redmond...  (And yes, there 
are other tags apart from MAP that can be used in that trick, but they 
are very rarely used by the phishers...)


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/