This is an "out of band security bulletin" so heads up people....
http://www.microsoft.com/technet/tre...n/ms04-004.asp
· A vulnerability that involves the incorrect parsing of URLs
that contain special characters. When combined with a misuse of the
basic authentication feature that has "username
assword@" at the
beginning of a URL, this vulnerability could result in a
misrepresentation of the URL in the address bar of an Internet Explorer
window. To exploit this vulnerability, an attacker would have to host a
malicious Web site that contained a Web page that had a
specially-crafted link. The attacker would then have to persuade a user
to click that link. The attacker could also create an HTML e-mail
message that had a specially-crafted link, and then persuade the user to
view the HTML e-mail message and then click the malicious link. If the
user clicked this link, an Internet Explorer window could open with a
URL of the attacker's choice in the address bar, but with content from a
Web Site of the attacker's choice inside the window. For example, an
attacker could create a link that once clicked on by a user would
display http://www.tailspintoys.com <http://www.tailspingtoys.com/> in
the address bar, but actually contained content from another Web Site,
such as http://www.wingtiptoys.com <http://www.wingtiptoys.com/>. (Note:
these web sites are provided as an example only, and both redirect to
http://www.microsoft.com <http://www.microsoft.com/>.)
What You Should Know About the Windows Security Update for February 2004:
http://www.microsoft.com/security/se...02_windows.asp
--
http://www.sbslinks.com/really.htm
