Yet another Internet Explorer exploit has been discovered. This one is ripe for many of the phishing scams that have been going around.
Secunia have a good, detailed advisory.
The vulnerability is caused due to an input validation error, which can be exploited by including the “%01” URL encoded representation after the username and right before the “@” character in an URL.
Successful exploitation allows a malicious person to display an arbitrary FQDN (Fully Qualified Domain Name) in the address bar, which is different from the actual location of the page.
Steve Minutillo has an example. Andy at absoblogginlutely has another example.
Remember, these only ‘work’ as intended in Internet Explorer.
Short link to this post: https://z1.tl/hc
Is this really an error, or a “feature” which turns out to be a security issue? It appears that the nondisplay character is working as intended.
I would say it is absolutely an error. Because it does not show the rest of the url. In other places IE will show that character as a little square. In this case Mozilla etc. do exactly that. IE truncates the URL at that point.
Maiby so I will understand why I must to reinstall my Windows each week!
Because of that I must to reinstall windows weekly?