search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Microsoft Internet Explorer does not properly interpret IFRAME elements when displaying URLs in the status bar

Vulnerability Note VU#960454

Original Release Date: 2004-11-04 | Last Revised: 2004-11-05

Overview

Microsoft Internet Explorer does not properly display the location of HTML documents in the status bar. An attacker could exploit this behavior to mislead users into revealing sensitive information.

Description

Web browsers frequently display the Uniform Resource Locator (URL) in the status bar when a user moves the cursor over links contained within the page. A vulnerability exists in the way Microsoft Internet Explorer interprets HTML to determine the correct URL to display in the browser's status bar.

The Hypertext Markup Language (HTML) supports the use of the IFRAME element. The IFRAME element is used to display an in-line frame that contains the contents of another document. For instance, assume that a web developer specifies the following tag in an HTML document:

The IFRAME element creates an in-line frame that contains another document.

<iframe src="http://www.example.com">

If the web developer includes the IFRAME element within a web page, the contents of the URL specified in the src property of the IFRAME will be displayed inline with the document.

When Internet Explorer encounters an IFRAME element that is contained within an ANCHOR element (e.g., <a href="..."></a>), it will use the ANCHOR element's URL to display in the status bar, but access the URL specified in the IFRAME element when the user clicks on the link.

Note: Exploitation of this vulnerability does not require Active scripting to be enabled.

Impact

An attacker could mislead a user to into believing that the URL specified in the status bar is the site that will be accessed when the user clicks on the link. However, when the user clicks on the link they will visit a site different than the URL specified in the status bar and potentially controlled by the attacker. The attacker could use additional social engineering techniques to trick the victim into disclosing sensitive information such as credit card numbers, account numbers, and passwords.

Solution

We are currently unaware of a practical solution to this problem.

Install Windows XP Service Pack 2 (SP2)

Microsoft Windows XP SP2 does not appear to be affected by this vulnerability.

Read and send email in plain text format

Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible. Note that reading and sending email in plain text will not necessarily prevent exploitation of this vulnerability.

Vendor Information

960454
Expand all

Microsoft Corporation

Updated:  November 04, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have verified that this vulnerability affects Internet Explorer 6.0.2800.1106.xpsp1.020828-1920

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc.

Updated:  November 04, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have verified that this vulnerability does not affect Safari version 1.2.3 (v125.9).

If you have feedback, comments, or additional information about this vulnerability, please send us email.

KDE Desktop Environment Project

Updated:  November 04, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have verified that this vulnerability does not affect Konqueror version 3.3.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mozilla

Updated:  November 04, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have verified that this vulnerability does not affect Mozilla version 1.7.3.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Opera Software

Updated:  November 04, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have verified that this vulnerability does not affect Opera version 7.54.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was reported by Benjamin Tobias Franz.

This document was written by Will Dormann and Damon Morda.

Other Information

CVE IDs: None
Severity Metric: 0.33
Date Public: 2004-11-02
Date First Published: 2004-11-04
Date Last Updated: 2004-11-05 18:53 UTC
Document Revision: 11

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.