Microsoft recently posted a message to a newsgroup stating that it is aware of a flaw in Internet Explorer (IE) that could be used to trick users into visiting a Web site they did not intend to visit. Independent researchers discovered that inserting a special character into a URL would cause IE not to display the URL properly, in which case users might think they're navigating to one site when in reality they would be navigating to another.
The company said it is working on the production of a Knowledge Base article that helps users learn how to identify spoofed URLs that rely on the recently discovered problem. When complete, the new article 833786 will become available on the company's support Web site.
The company said that in the meantime other measures can be taken to ensure a URL matches the site correctly. In their newsgroup posting Microsoft offered the following instructions:
1. In the Address bar enter either by type:
javascript:alert("Actual URL: " + location.protocol + "//" + location.hostname + "/")
2. Compare the URL listed in the dialog with the URL displayed in the folder above the currently highlight web page in the History pane. If they do not match, then the site is misrepresenting itself and you should leave the site by closing the browser.
To view the URL of the current page in the History pane of Internet Explorer:
1. If the History pane is currently open, on the toolbar, click the History button (the button with the circular green arrow) to close the History pane.
2. On the toolbar, click the History button to open the History pan.
3. If the address of the web site is not visible in the History list, click the arrow next to the View button at the top of the History bar and select "By Date" or "By Site".
4. In this History pane on the left side, the URL of the site hosting the page is highlighted in the folder above the page.
5. Compare the URL in the Address bar with the URL displayed in the folder above the currently highlight web page in the History pane. If they do not match, then the site is misrepresenting itself and you should leave the site by closing the browser.
