New Spoofing Flaw found in Internet Explorer, pre IE6 SP2
As of now, the only solution is to upgrade to Windows XP SP2 if you haven't done so already (impossible to do so if you run Windows 2000 or before), or don't use IE and Outlook Express. As usual.A new spoofing flaw in Microsoft's Internet Explorer browser allows an improperly coded web link to send users to a diffferent URL than the one displayed in the status bar.
The flaw, which was posted to the Bugtraq mailing list by Benjamin Franz, is exploited by placing two URLs and a table within a single HTML href tag, producing a link that looks like this:
displaying http://www.microsoft.com in the browser, but sending the user to Google. Franz says the exploit works in fully-patched versions of Internet Explorer and Outlook Express, meaning the HTML code can be used to create spoofed URLs in webpages and HTML e-mails.
The technique, which can be executed by anyone with basic knowledge of HTML, can be used to construct convicing fake URLs for use in phishing scams. The flaw is possible because Internet Explorer has difficulty processing improperly formed HTML. The attack opens one href tag, and then leaves that tag open while enclosing a second URL within a table. The browser displays the first URL in the status bar, but sends users to the second URL.
The flaw affects versions of IE up to 6.0.2800.1106 - which includes systems that haven't yet installed Windows XP SP2, but are current on all other critical updates from Windows Update - as well as the Safari browser for Macs. Users running Windows XP SP2 (IE version 6.0.2900) and the open source Firefox and Mozilla browsers are not affected.