Some facts:
An update on the recently reported IE vulnerability that lets people create fake sites that look real and disguise their true address. You can see the bug in action using this hoax site: here (designed by us). If you are on IE, and visit the 'site', your Address bar will be wrong (say symantec.com). But your status bar, once in the page, may show something is bogus. If you don't believe it is not Symantec, click the privacy link at the bottom of the page.
You can also see a demo of faking a secure page with padlock and valid certificate (but not one from paypal): here.
Some facts about the vulnerability:
# Once at a fake site, only File..Properties will reveal a strange URL that does not agree with the Address bar.
# It appears that basically all windows MSIE versions are vulnerable.
# If you use MSIE 'enhancers' such as IRider, you may be protected from the problem.
# With java script enabled, it is trivial for the hoax site to modify the MSIE 'Status bar' to show whatever it wishes.
# Examples have been posted of mostly obscuring the tell-tale info in the IE status bar at the bottom, after you are on a hoax site, even with javascript (Active-Scripting) turned off. "
An update on the recently reported IE vulnerability that lets people create fake sites that look real and disguise their true address. You can see the bug in action using this hoax site: here (designed by us). If you are on IE, and visit the 'site', your Address bar will be wrong (say symantec.com). But your status bar, once in the page, may show something is bogus. If you don't believe it is not Symantec, click the privacy link at the bottom of the page.
You can also see a demo of faking a secure page with padlock and valid certificate (but not one from paypal): here.
Some facts about the vulnerability:
# Once at a fake site, only File..Properties will reveal a strange URL that does not agree with the Address bar.
# It appears that basically all windows MSIE versions are vulnerable.
# If you use MSIE 'enhancers' such as IRider, you may be protected from the problem.
# With java script enabled, it is trivial for the hoax site to modify the MSIE 'Status bar' to show whatever it wishes.
# Examples have been posted of mostly obscuring the tell-tale info in the IE status bar at the bottom, after you are on a hoax site, even with javascript (Active-Scripting) turned off. "
Comments