"The problem is that it's possible to display a popup with a somewhat spoofed address bar where a number of special characters have been appended to the URL. This makes it possible to only display a part of the address bar, which may trick users into performing certain unintended actions."
"Somewhat spoofed" is a fairly good description.
I've not had a chance to have a comprehensive look at this but note after a quick once over that the spoof only seems to work while the addressbar is highlighted. As soon as you click anywhere in the screen the real address appears. Not only that the addressbar itself is highlighted, which is unusual during normal Web browsing.
Edit: It has been noted that Secunia's proof of concept does not work if IE7 is set to open pop-ups in a new tab, and that the proof of concept only works in the exact, specific sized window that Secunia used when they displayed the result of the 'weakness'.
Richard G. Harper, MVP comments:
"You could get it to work with a different size window but you'd have to re-calculate the invisible/spacer characters to make it work, and then it would be tied to THAT size window and no other.
There's no way to make it scalable - no way to make it so that it would properly obscure in a randomly-sized window, or a re-sized window. You can't even make it work in a maximized window since there's no hiding-space available there. A maximized window makes it very plain what the trick is."
I've emphasised the above text in bold and underline because it is very important. Imagine, if you will, that you've gone to a fake site and have just clicked in a form field to enter data... your address bar, which has been highlighted, blinks and suddenly displays a different address - people are going to notice that. They're also going to notice that what they think is their bank's Web site is only appearing in a little window, that can't be resized... I'm sure the vast majority of people will see all of the above as just too weird.
One thing that also occurs to me, which I haven't played with, is to wonder what effect different screen resolutions will have.
A special note to those who are yelling that the sky is falling and that IE7 should be blocked because of the above "weakness"
Wake up to yourselves. IE7 has been immune to virtually every *real* exploit that has been released - exploits that are actually being used in the wild to compromise systems, and are therefore a real danger to Web surfers. Any security advisor who recommended that IE7 be blocked on the basis of this address bar weakness, or the other reported IE7 vulnerability (which is not being exploited, and has not been exploited, despite being public since April and which says something in and of itself) would not last very long on any security team in which I had a say.
Professionals are meant to balance risk against reward, and not base their decisions on a pre-existent bias, whether it be their own bias or anothers.
The Microsoft Security Response team have also blogged about this 'weakness':
SANS have seen fit to bump the description up from a "weakness" to a "vulnerability" for who knows what reason.
SANS's idea of "to work quite well" and my idea of "to work quite well" do not correlate.
As much as I dislike the fact that SANS have seen fit to call this *weakness* a *vulnerability*, in their credit they have said:
"We received a lot of reports from our readers suggesting that Firefox and some other browsers are vulnerable to this exploit as well.
In case of this vulnerability, it is not easy to say if a browser is vulnerable or not – we're not talking about exploiting a remote execution so it either works or it doesn't work. In this case, an attacker is actually trying to make the user believe that he's on a different site, and that can be, unfortunately, done using this vulnerability **on almost all browsers**."
You will note from the Opera and Firefox screenshots on the SANS site that Firefox does not show an addressbar at all. Opera displays a small section of text.
When we compare the behaviour of IE7 to Firefox and Opera (see SANS screenshots) it can be said that IE7 is actually *safer* than Firefox and Opera. Why? Because:
1) The addressbar is *highlighted* in IE7 when the window first opens - unusual in itself.
2) The addressbar highlighting *turns off* (the addressbar flashes) and the address that is displayed changes as soon as you click anywhere on the page being displayed. A visitor will instinctively look at the addressbar as soon as that happens to see what just changed - a visual cue that both Firefox and Opera lack.
3) If the size of the pop-up window is changed in IE7, the weakness is immediately exposed.
Exploit window as it originally appears:
Exploit window after clicking anywhere on the page - note how the entire URL is displayed.