A vulnerability has been identified in Microsoft Internet Explorer that allows an attacker to misrepresent the status bar in the browser, allowing vulnerable users to be mislead into following a link to a malicious site.
The issue presents itself when an attacker creates an HTML form with the submit 'value' property set to a legitimate site and the 'action' property set to the attacker-specified site. The malicious form could also be embedded in a link using the HTML Anchor tag and specifying the legitimate site as the 'href' property. This could aid in exploitation of other known browser vulnerabilities as the attacker now has a means to surreptitiously lure a victim user to a malicious site.
Microsoft Internet Explorer is vulnerable to this issue, however, Microsoft Outlook Express can used to carry out a successful attack as well since it relies on Internet Explorer to interpret HTML. It should also be noted that although HTML content is rendered in the Restricted Zone in Outlook Express, limiting the use of many HTML and DHTML tags, forms are still permitted. This vulnerability would most likely be exploited through HTML e-mail, though other attack vectors exist such as HTML injection attacks in third-party web applications.
The issue is reported to affect Internet Explorer 6 and Outlook Express 6. Other releases could also be affected.
<FORM action=http://www.malicious.com/t-bill.html method=get>
<INPUT style="BORDER-RIGHT: 0pt;
BORDER-TOP: 0pt; FONT-SIZE: 10pt; BORDER-LEFT: 0pt; CURSOR:
blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR: transparent;
TEXT-DECORATION: underline" type=submit
<form action="http://www.malicious.com/" method="get">
<a href="http://www.example.com/"><input type="image" src="http://images.example.com/title.gif"></a>