Technote: Internet Explorer URL spoofing vulnerability

News of a security vulnerability in the Internet Explorer program appeared on 12/11/03. This problem makes it possible for a malicious website to "impersonate" another in the IE Address Bar. iRider is not affected by this problem — it will display a complete address in its Address Bar when accessing such a site.

This page demonstrates the problem — open it in Internet Explorer and iRider, click "Test Exploit", and compare their Address Bars. Internet Explorer will erronously show only

"http://www.microsoft.com",

leading one to believe you're on Microsoft's website, and iRider will show

"http://www.microsoft.com
@zapthedingbat.com/security/ex01/vun2.htm",

which shows that you're actually on zapthedingbat.com. Since even the complete address may be misleading, iRider versions 2.09 and later display a warning message when such an address is encountered.

Keep in mind that, as with virtually any web browser security hole, it's necessary to browse to a malicious site or otherwise be directed there in order to encounter this URL spoofing vulnerability. Since this sort of thing is often done in spam email, it's yet another reason never to open spam or certainly never to open links contained in spam.

A common ruse is for spammers to send out email that appears to be from a well-known site, such as eBay, that contains links to a spoof site that collects passwords or other information on a page designed to look like one from the well-known website. So it's important to be wary of any unsolicited email that directs you to a website, even if it appears to be from a well-known source.

Even though iRider isn't affected by all Internet Explorer security vulnerabilities, it is affected by some, and in any case it's a good idea to apply any critical security updates that Microsoft issues for Windows or IE. See Microsoft's Windows Update page to download these. For more background on browser security issues, see the entry in our FAQ.