From CNet:

Microsoft is rejecting claims from security researchers that a spoofing technique discovered on Internet Explorer is a security vulnerability.

Article [news.com.com]

IE is only if you're using XP with SP2 installed.

Now I'm not so sure. I've run the test page on this setup and get two addresses shown in the status bar - depending where the mouse hovers! If it hovers below the link text, where no hover effect takes place, I see a link to Microsoft's site. But when I move over the text (and the link changes blue and is underlined) then the status bar changes to Google!

I have also tested this in Opera 7.54 and 7.60 Preview 2, both of which follow IE's example!

Can anyone test this in a pre-SP2 XP version of IE and report what they see?

My status bar displays microsoft.com with IE6 / Windows 2000 SP4

Its a very abstract Flaw if that, it does the same thing for a lot of browsers.

<added>Ok I stand corrected but this can be done with Javascript as well lots of sites use the Javascript technique to trick the user that they are going to another site. </added>

regards,
Mark

> Can anyone test this in a pre-SP2 XP version of IE

I can't, but FWIW, Netscape 4 shows Google in the status bar...

<added>
> If it hovers below the link text, where no hover effect takes place, I see a link to Microsoft's site.

In Opera (7.11), the outer Microsoft link is clickable and does go to MS. In IE 6 (on W2KSP4), I see the MS link, but it is unclickable.
</added>

You know, I checked the URL with XP SP2 IE 6, Win98 IE 6, Mozilla 1.7 (windows) and Firefox 0.9.1 (windows) and they all treated that link exactly the same way.

the links says [microsoft.com...] and mousing over says [google.com...] in the status bar, and clicking goes to google.

source code shows two nested links, but I don't see how, in effect it is any different than doing this:

<a href="http://www.example.com/">http://www.foobar.com</a>

Happens all the time on the web. I don't see how it is a security issue, especially since all the browsers I tried treat it exactly the same.

Because in the browsers where it shows Microsoft in the status bar, people will think that's where the link goes. But it doesn't. The correct reading for the link should be Google. IE6 and Opera 7 show both, depending where the mouse is. But Firefox (0.10.1 here) always shows Google, so it is safer.

> Can anyone test this in a pre-SP2 XP version of IE

IE6 SP1 shows microsoft all the way.. no "below" hover activating, no mention of Google

IE 6 SP1 shows only microsoft's addy....

[ooops. Should have read to the end of the thread!]

Sorry, I didn't RTFA closely enough, plus Hester said:

"IE is only if you're using XP with SP2 installed."

I guess he meant "IE is OK only..."

Definitely an abstract flaw and probably not a major issue IMO, but a flaw none-the-less.

Question: In your experience, how many typical web users pay attention to the URL in the status bar?

I wrote "Firefox and Mozilla are OK. IE is only if you're using XP with SP2 installed." - thus no need for "IE is OK"? I thought the previous sentence implied this. Perhaps I should have said "IE is also".

I read a different article at NewScientist [newscientist.com] that describes phishing scams using scripts to make changes to the hosts file. It take advantage of vulnerabilities in csript.exe and wscript.exe to execute changes to the hosts file.

For example, if you insert the line

216.239.37.99 www.microsoft.com

into your hosts file, and you type www.microsoft.com in your browser, you will end up at Google. The address bar of your browser will say Microsoft and you will think that you are at Microsoft, yet you will actually be at Google. The danger behind this is when phony sites are created to trick the user into thinking they are at the real site.