http-equiv has discovered a weakness in Internet Explorer, which potentially can be exploited by malicious people to trick users into visiting a malicious website.
It is normally possible for script code to manipulate information displayed in the status bar. However, an error in Internet Explorer allows manipulation of the status bar without using any script code. This can be exploited by embedding a specially crafted form in a link.
This also affects Outlook Express as it uses the same HTML rendering functionality as Internet Explorer. Outlook Express users may especially trust information displayed in the status bar since HTML documents are viewed in context of the "Restricted" zone, which has scripting support disabled.
Successful exploitation may result in a user being tricked into visiting a malicious website by following a specially crafted link.
The problem has been confirmed in versions 5.01 and 6. Version 5.5 is likely also affected.
Solution: Never follow links from untrusted sources.
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org
Subject: Internet Explorer/Outlook Express Restricted Zone Status Bar Spoofing
No posts yet
You must be logged in to post a comment.
Secunia Customer Login
Not a customer already?
Learn more about how our market leading Vulnerability Management solutions can help you manage risk and ensure compliance.