Nasty new IE vulnerability

Most people reading are probably aware of the common trick whereby spammers and other
assorted ne’er-do-wells publish URLs with usernames
that look like hostnames
to fool people in to trusting a malicious site – for
example, http://www.microsoft.com&session%[email protected].
This trick is frequently used by spammers to steal people’s PayPal accounts, by tricking
them in to “resetting” their password at a site owned by the spammer but disguised
as PayPal.com.

Today’s new
Internet Explorer vulnerability
makes the problem a hundred times worse. By including
an 0x01 character after the @ symbol in the fake URL, IE can
be tricked in to not displaying the rest of the URL at all.
Don’t expect a patch for a while either; the guy who discovered the bug released
it to BugTraq
on the same day he notified the vendor.


[Simon Willison’s Weblog]

Nasty new IE vulnerability