A flaw in Internet Explorer that allows someone to display an incorrect website address in the browser window, is just getting worse.
A patch issued by an apparent open source organisation, Open Wares, to fix the problem contained problematic code that left some systems more open to attack while appearing to report back to the Open Wares.org website.
A new patch has now been made available but those who downloaded the original patch are now extremely suspicious of the fix – or simply ignorant that it has been issued at all.
In the meantime, despite two weeks' notice, Microsoft has yet to release an official fix, and offers instead only daft advice such as checking the source code for every URL people want to click.
The problem is a big one and was first spotted a fortnight ago. Zap The Dingbat noted on BugTraq that you need only include the characters "%01" in a link and Explorer fails to display any of the URL information following it.
You can therefore get someone to visit a page on your website but as far as they and their browser is concerned, you have been connected to an entirely different domain. The implications are obvious - scammers will be able to persuade people they are visiting a legitimate site (any site in fact) but direct them to their own.
This has been used successfully in the past with very similar domains, particularly online banks where people's vital credit card and bank account details have been stolen, but this method doesn't even give the wary much reason to question it - the browser appears to clearly display the domain they are visiting.
A very simple, very clear demonstration can be found at the Zap The Dingbat site here. You think you're visiting Microsoft.com but in fact are looking at zapthedingbat.com/security/ex01/vun2.htm.
So, not only do you no longer know for certain (if you are using Explorer 6, of course) where you are on the Internet, but you have to be wary of taking people at face value and installing a patch when they can dump all sorts of other software on your computer for personal gain.
Now all it takes is someone to spoof a Microsoft domain purporting to lead to a fix for the issue and we really have entered the twilight zone that is Microsoft security.