Info

Disclosure

Oct 25, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Microsoft Internet Explorer contains a flaw related to the way it displays urls in the address bar of pop-up windows that may allow an attacker to spoof the address bar and possibly conduct phishing attacks via a malicious URL containing non-breaking spaces (%A0).

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Workaround
Exploit: Exploit Public
Disclosure: OSVDB Verified

Solution

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Click on the address bar in the pop up window and scroll to the left to see the url of the page.

Products

Microsoft Corporation

Internet Explorer

References

Security Tracker: 1017122
CVE ID: 2006-5544 (see also: NVD)
Bugtraq ID: 20728
Secunia Advisory ID: 22542
SCIP VulDB ID: 2630
ISS X-Force ID: 29827
CERT VU: 347188
Other Advisory URL: http://blogs.technet.com/msrc/archive/2006/10/26/ie-address-bar-issue.aspx
News Article: http://news.com.com/Spoofing+bug+found+in+IE+7/2100-1002_3-6129626.html
Generic Exploit URL: http://secunia.com/internet_explorer_7_popup_address_bar_spoofing_test/ [ Link is 404 ]
Keyword: phishing

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/30022