- Judii's introduction:
Apologies for the somewhat technical nature of this e-mail. I feel the
message is important enought that it needs to be widely distributed, not
just to those who are curious about technical things.
Please read this article (and the NetSquirrel one noted in the body of the
message) and know that urls in HTML-FORMATTED e-mail messages and webpages
(all webpages are html-formatted; even pdf files can have html-formatting in
them) may be spoofed.
The identified problem affects all users of Microsoft Outlook or Internet
Explorer. It affects PCs and MACs (although Macs have a slight clue when
things are going wrong).
The article and the NetSquirrel page that it points to are effective
warnings, and show the risk, but I don't think explain how this happens.
They simply say that you should retype the urls in such messages/webpages
directly into the location bar of your browser instead of clicking on the
link. At the bottom of this e-mail I'll show you how it's done - if you're
interested (article appears between dashed lines and my comments appear
after that. (note: links in this e-mail cannot be spoofed ones becuase its
coming to you as plain text - no html formatting).
And, while the information pretty much says we're fools if we're using
Microsoft products, he does have hope that this 'bug' will be eliminated by
a major January 14 release of Microsoft product upgrades.
Now follows Patrick Douglas Crispin's TourBus e-nesletter's commentary on
this problem between dashed lines, followed by more comments from me.
If you use Internet Explorer, Microsoft Outlook Express, or Microsoft
Outlook, you're vulnerable to something called "URL Spoofing." Is
this earth-shattering? No. Should you lose sleep over it? No.
Should you at least know a little about it in order to protect your
personal information should something strange happen? ABSOLUTELY!
According to Microsoft,
a malicious user could create a link to a deceptive (spoofed) Web
site that displays the address, or URL, to a legitimate Web site
in the Status bar, Address bar, and Title bar.
Why is this a bad thing? Well, InformationWeek warns that
This flaw would make it appear to Internet users that they're
visiting a banking Web site, for example, when that site is
actually a front for fraudsters attempting to collect sensitive
How can you tell if you're vulnerable? Just hop on over to
and click on the microsoft.com link on that page. If Microsoft's
website loads in your web browser, move along. There's nothing to see
However, if the page that loads isn't Microsoft's but rather eBay's,
you're completely vulnerable. And remember, this vulnerability
doesn't just affect Internet Explorer, it also affects your copies of
Microsoft Outlook and/or Outlook Express.
Now for the REALLY bad news: There's no way to fix this problem. Yet.
Should you panic? As I said, no! But, until Microsoft finds a fix,
you should take the following precautions:
1. DON'T TRUST HYPERLINKS IN HTML-FORMATTED EMAIL MESSAGES
(emails that display images and hyperlinks and look very much
like web pages) even if those email messages are from your
friends or family. This is especially true for hyperlinks in
email messages from Amazon, AOL, eBay, PayPal, your bank, your
credit card company, or any other company you normally do
business with. If any web site, financial company, or
commercial entity sends you an email asking you to click on a
hyperlink in that email to update your account information, DO
NOT CLICK ON THAT LINK. Because of Internet Explorer's URL
spoofing vulnerability, you simply cannot trust hyperlinks in
HTML-formatted emails to point to the correct URL.
2. BE SUSPICIOUS OF HYPERLINKS ON WEB PAGES YOU HAVE NEVER
VISITED BEFORE. To be completely honest, the chance of you
running into a spoofed URL on a web page is pretty slim, and
the chance is all but zero on the big .com sites you visit
every day. More likely than not, the criminals will be
spoofing URLs in email messages, not on Web pages. But, if
you are at a web page you have never visited before, exercise
a little caution. If something feels wrong, leave.
3. THE BEST WAY TO AVOID BEING HIJACKED BY A SPOOFED URL IS TO
MANUALLY TYPE THE URL USING INTERNET EXPLORER'S ADDRESS BAR.
Remember, the spoof only affects hyperlinks in email messages
and web pages, not addresses you manually key in to your
Internet Explorer address bar. So, to be really safe, if you
need to access your account information at Amazon, AOL, eBay,
PayPal, your bank or financial institution, your credit card
company, or any other company you normally do business with,
manually enter the URL.
Some will also argue that this URL spoofing vulnerability is a perfect
reason to abandon Windows/Internet Explorer/eating with utensils.
Thats for you to decide. However, since my email inbox will explode
if I dont say this, the smarter and better looking people long ago
abandoned Internet Explorer in favor of Mozilla, Safari, and Opera
(among others.) These smarter and better looking people look upon
Internet Explorer users with abject contempt, but they will happily
welcome you back into the smart and pretty club once you regain your
senses and adopt a different web browser and/or operating system.
By the way, does this URL spoof actually affect Mac and *nix users?
Yes and no. If you click on the Microsoft link on
http://www.netsquirrel.com/, you'll most likely be taken to eBay but
the URL in your address bar will look funky. Thats good. Its
supposed to look funky. Whats different in Internet Explorer is that
the spoofed URL *DOESNT* look funky at all. And thats bad.
Finally, Broadband Reports has done the best job of covering this
vulnerability. You can find their latest update at
My guess is that Microsoft will patch this vulnerability when they
release their next batch of critical updates on January 14th. But I
could be wrong. Until the patch is released, exercise a little
caution and you should be fine.
When someone puts a link into an html document (email message or webpage),
they encase the url in a code such as:
<a href="http://www.microsoft.com">Microsoft Website</a> or <a
href="http://www.microsoft.com">www.microsoft.com</a> More generically, the
link looks like:
<a href=" x "> y </a>
where x is replaced by the url and
y is replaced by the clickable text
In the malicious html, the url has some extra characters tacked onto it:
so instead of correctly sendig you to http://www.microsoft.com
the url is sending you to: http://www.microsoft.com%00@.../
I guess the way to interpret this computer code for humans is:
"When someone clicks on this link, make it look like the link will go to
microsoft.com, but really go to the ebay.com address."
What's the harm?
Well if the 'incorrect' url is designed in such a way that you THINK you've
gone to a legitimate site, and the site LOOKS exactly as you'd predict the
real site would look like, you might give them information or money that you
intend for the real url.
Well, I don't think I'm going to stop clicking on links in e-mails, but when
they are html-formatted and say they're going to take me to a site where I
need to divulge a userid/password, security code, bank account info,
personal address, credit card information, OR ACT ON ADVICE, I will ALWAYS
type the address identified and NOT click on a link that might take me to a