Microsoft Responds to IE7 Popup Address Bar Spoof

Bink has reported the following 'less-critical' exploit over at Secunia and Microsoft promptly responded the same day.

A weakness has been discovered in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks. Secunia have a demo of the exploit online.

Christopher Budd responded over at the Microsoft Security Response Center Blog by saying "First, this is an issue with how URLs are displayed in the address bar. Specifically, we've seen that this occurs in a pop-up window after a user clicks a specially formed link on an untrusted website or in an untrusted e-mail.

Now, while the full URL is actually present in the address bar, the left part of the URL is not initially displayed. But, you can see the full URL if you either click in the browser window or in the address bar and then scroll within the address bar." Nice to see Microsoft responding so quickly to even minor bugs affecting IE7.

View: Full Response @ Microsoft Security Response Center Blog

Report a problem with article
Previous Story

Microsoft Decries Vista PatchGuard Hack

Next Story

Batteries Push Sony to Q2 Operating Loss

13 Comments

Commenting is disabled on this article.

I hope they get all these little annoyances out of the way before releasing via auto-update. currently i'm annoyed at IE7 taking over my .html icons when explorer is set to tile view, yet it correctly displays the firefox icon when in icon/list/details view ¬_¬

I just tried it and while it does say microsoft.com when it first opens the page, i can see the full url once I clicked anywhere in the popup. If this is the expected result then it doesn't seem that bad to me.

Has anyone tried the flaw? My address bar displays this: h||p://secunia.com/result_22542/?  http://www.microsoft.com/                                                                                                            | <- I put this line here to show where the spaces ended but it still shows the site is from secunia and I purposely mangled the T's to not have the board automatically make it a url.

Yeah, that's right. It's not a flaw, because the URL is purposefully right aligned, it might seem like buggy behaviour I'll agree, but it's not a security flaw because the whole URL is displayed.

Besides, on mine it doesn't even look right, the htt part is cut off, it says p://www.microsoft.com/, yeah, that's real authentic.

Exactly, although its good of them to respond, they should fix it. It is an incredibly simple fix, and i could do it myself - it would take microsoft a total of 2 mins to fix this one.

Shame on you

Quote - MrCobra said @ #3.1
It was probably another one of those 'not high on the list of fixes' bugs.

No, more like it's an "It's not a bug, it's a feature!" bugs.

not really much of a bug more then a display issue of where you show the text at in a long string but hey whats wrose a moved line of text or not showing the url at all like in IE6 and Firefox 2

having some special trick to get round it doesn't make it not a huge issue for the millions of people that don't read tech news sites at all, let alone security announcements.

get it fixed!

<not that it'll stop me using ff anyway>