Huge, nasty new IE hole found

Most digerati already know about the spammer and lamer trick to publish URLs that look like legitimate hostnames to fool people in to trusting a malicious site. This trick is frequently used by spammers to steal people’s PayPal accounts, by tricking them in to “resetting” their password at a site owned by the spammer but disguised as PayPal.com.

Today’s new IE vulnerability is significantly worse. By including an 0x01 character after the @ symbol in the fake URL, IE can be tricked in to not displaying the rest of the URL at all. Don’t expect a patch right away, the guy who found the hole released it to BugTraq on the same day he notified Microsoft. (via Simon Willison)

Comments are disabled for this post