Microsoft Internet Explorer does not properly display the location of HTML documents. An attacker could exploit this behavior to mislead users into revealing sensitive information.
Web browsers frequently display the Uniform Resource Locator (URL) in the address bar. Users expect this information to indicate the source of the current browser frame. Microsoft Internet Explorer (IE) does not properly display URLs that contain certain non-printable characters. IE may connect to one address but display a different address.
Per RFC 2396, the URL scheme for HTTP is represented as
An attacker could convince a user that they were viewing a legitimate site when in fact they are visiting a site controlled by the attacker. The attacker could use additional social engineering techniques to trick the victim into disclosing sensitive information such as credit card numbers, account numbers, and passwords.
Apply the patch (832894) referenced in Microsoft Security Bulletin MS04-004 or a more recent IE cumulative patch.
This vulnerability was publicly reported by Zap The Dingbat.
This document was written by Art Manion and Shawn Hernan.
|Date First Published:||2003-12-20|
|Date Last Updated:||2004-02-17 22:58 UTC|