vulnerability in Internet Explorer has had the news media talking and security experts worrying. The vulnerability causes a spoofed URL (web address) to appear in the browser's address bar, making it appear as if visitors are on one site, when in fact they are on another. Security experts fear such a flaw could be used by bank and credit card scammers to dupe even more users out of their critical financial details. News reports from USA Today and InformationWeek mistakenly 'credited' Secunia with having 'discovered' the flaw. In reality, the flaw was discovered by Zap The Dingbat and reported to the Bugtraq newsgroup on December 9th, 2003.

From there, the discovery email was quickly forwarded to the Full Disclosure group and eventually appeared on NTBugtraq as well. Security consultants Secunia then took the information and posted it on their own site, properly 'crediting' Zap The Dingbat.

Who initially discovered and reported the flaw is an important point, as there has been no shortage of controversy surrounding the disclosure. The controversy revolves around the fact that Zap The Dingbat released details of the flaw on the same date it reported the flaw to Microsoft. Typically, responsible disclosure allows enough time for the affected vendor to respond (preferably with a patch) before details of the specific exploit are released to the general public. Without such a waiting period, vulnerabilities can be, and often are, exploited before a patch is available for protection. In the case of this particular flaw, the exploit code is so trivial that it requires next to no technical ability to abuse it.

Email scammers typically try to mask links to make them 'appear' as if they are to legitimate sites. However, if one clicks through on such a link, the address bar in the browser will display the actual link and observant users should quickly realize the trick. This method and how to discover it without clicking through are discussed indepth in the article eBay & PayPal scams. Briefly, though, it involves the use of an @ sign after the initial web address, followed be a second web address. In essence, it is the virtual equivalent of 'calling Sally at Fred's house' - in which case, you will get Fred, and not Sally. It is important to note that this particular method of redirection is not a flaw or vulnerability, but rather a design specification laid out in RFC 2396 which allows for server-based name resolution. In other words, it is working as designed. This is not the case with the URL parsing vulnerability discovered by Zap The Dingbat.

Interestingly, in the parsing vulnerability the URLs are reversed. The bogus (spoofed) web address comes first, followed by the "@" sign, after which the hex equivalent of a 0x01 character is inserted and followed by the actual source address. This causes the false web address to appear in the browser address bar and hovering over such a link will also cause the false address to be displayed in the lower left status portion of the browser window. Discovering such a ploy requires either viewing the source code for the web page or email or right-clicking the link and choosing "Copy Shortcut" and pasting that into the web browser address bar. Simply right-clicking the link and choosing Properties will not work, as the spoofed address will be displayed. However, observant users may notice an odd rectangular-shaped character following the address, a dead-giveaway that the link is malformed. To see this firsthand, visit the Secunia example of the exploit, right-click the "Click Here to Perform Test!" link, and choose Properties.

Concerns that this ploy could increase the number of phishing emails abound. According to the Federal Trade Commission (FTC), phishing "is a high-tech scam that uses spam to deceive consumers into disclosing their credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive information." Such scams are common in email today and users are advised to exercise caution with any email claiming credit card or financial information is required. The FTC provides comprehensive guidelines for detecting and avoiding such scams, as well as contact information for reporting the offenders.