J-Security Center

Title: Microsoft Internet Explorer Embedded Image URI Obfuscation Weakness

Severity: HIGH

Description:

It has been reported that Microsoft Internet Explorer is prone to a URI obfuscation weakness that may hide the true contents of a URI link. The issue occurs when an image is contained within a HREF tag, this image is then later mapped so that the HREF of the image map points to an alternate site. The MAP HREF appears to take priority over the originally specified HREF for the image, resulting in obfuscation of the true URI in both the status bar and the mouseover tooltip.

This weakness could be employed to trick a user into following a malicious link.

An attacker could exploit this issue by supplying a malicious image that appears to be a URI link pointing to a page designed to mimic that of a trusted site. If an unsuspecting victim were to mouseover the link in an attempt to verify the authenticity of where it references, they may be deceived into believing that the link references the actual trusted site. This could potentially cause a false sense of security for the victim.

Affected Products:

  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 5.0.1
  • Microsoft Internet Explorer 5.0.1 SP1
  • Microsoft Internet Explorer 5.0.1 SP2
  • Microsoft Internet Explorer 5.0.1 SP3
  • Microsoft Internet Explorer 5.0.1 SP4
  • Microsoft Internet Explorer 5.0.1 for Windows 2000
  • Microsoft Internet Explorer 5.0.1 for Windows 95
  • Microsoft Internet Explorer 5.0.1 for Windows 98
  • Microsoft Internet Explorer 5.0.1 for Windows NT 4.0
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 5.5 SP1
  • Microsoft Internet Explorer 5.5 SP2
  • Microsoft Internet Explorer 6.0
  • Microsoft Internet Explorer 6.0 SP1
  • Microsoft Office 2000
  • Microsoft Office 2000 SP1
  • Microsoft Office 2000 SP2
  • Microsoft Office 2000 SP2
  • Microsoft Office 2000 SP2
  • Microsoft Office 2000 SP3
  • Microsoft Office 2003
  • Microsoft Office 2003 SP1
  • Microsoft Office 2003 SP2
  • Microsoft Office 2003 SP3
  • Microsoft Office XP
  • Microsoft Office XP SP1
  • Microsoft Office XP SP2
  • Microsoft Office XP SP3
  • Microsoft Outlook 2000
  • Microsoft Outlook 2000 SP2
  • Microsoft Outlook 2000 SR1
  • Microsoft Outlook 2000 SP3
  • Microsoft Outlook 2002
  • Microsoft Outlook 2002 SP1
  • Microsoft Outlook 2002 SP2
  • Microsoft Outlook 2002 SP3
  • Microsoft Outlook 2003
  • Microsoft Outlook 97
  • Microsoft Outlook 97 8.2.4212
  • Microsoft Outlook 98
  • Microsoft Outlook Express 4.0
  • Microsoft Outlook Express 4.0.1 SP2
  • Microsoft Outlook Express 4.27.3110
  • Microsoft Outlook Express 4.72.2106
  • Microsoft Outlook Express 4.72.3120
  • Microsoft Outlook Express 4.72.3612
  • Microsoft Outlook Express 5.0
  • Microsoft Outlook Express 5.0.1
  • Microsoft Outlook Express 5.5
  • Microsoft Outlook Express 6.0
  • Microsoft Windows 98SE
  • Microsoft Windows ME
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Datacenter Edition Itanium
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Enterprise Edition Itanium
  • Microsoft Windows Server 2003 Itanium SP1
  • Microsoft Windows Server 2003 Itanium SP2
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Standard x64 Edition
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows Server 2003 x64 SP2
  • Microsoft Windows XP 64-bit Edition
  • Microsoft Windows XP Home
  • Microsoft Windows XP Media Center Edition
  • Microsoft Windows XP Media Center Edition SP2
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Professional x64 Edition SP2
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows XP Tablet PC Edition SP2

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.