Microsoft announced plans to change the way Internet Explorer (IE) handles certain URLs which in the past have been used to dupe users into visiting a site they didn't intend to visit.
Many browsers, including IE, have supported a URL format that includes the @ symbol. Typically such a symbol is used to transmit a username and password pair to a server that requires a login. For exmaple, http://[email protected] However someone could also use the same technique to send a user to a site they didn't intend to visit by crafting a URL such as http://[email protected] The user might think by clicking the URL they would go to www.microsoft.com, however the URL would actually take the user to www.exampledomain.ext.
The ploy has been used numerous times by intruders to spoof legitimate sights and dupe users into divulging sensitive information. Numerous bank customers at various banks have been duped with such a URL into visiting a site that looks like the bank's real Web site when in reality the site was actually a copy operated by intruders to collect bank customer information.
In article 834489 Microsoft explains that they will soon release a software update for IE 6.0 and 5.x running on the Windows Server 2003, XP, 2000, NT, and 98 platforms. With the update loaded, the spoofing technique will no longer work when used in conjunction with the HTTP and HTTPS protocols. At the same time, access to legitimate sites that use the @ symbol in URLs to gather login ([email protected]) information will no longer be accessible in that fashion via IE. The URL encoding method will however still work in IE for the FTP protocol. Microsoft said that registry keys can be used to disable the new HTTP and HTTPS URL encoding limitations that will be imposed by the update.